The CareFirst attack occurred in June 2014, according to a Web site set up by the insurer. The company said its cyber-security team thought it had fended off the attack at the time, but a recent review discovered that the attackers had gained access to the usernames that customers created on its Web site as well as their real names, birth dates, e-mail addresses and subscriber identification numbers.
The database the hackers accessed did not contain members' Social Security numbers, medical claims, employment, credit card or financial information, the company said.
"We deeply regret the concern this attack may cause," CareFirst President and CEO Chet Burrell said in a statement. "We are making sure those affected understand the extent of the attack – and what information was and was not affected."
The company said it first learned that data on customers was accessed nearly a month ago, on April 21, during the course of a review of its systems by cybersecurity firm Mandiant. CareFirst said it did not disclose the discovery until now so it could complete its investigation of the incident.
CareFirst is offering affected customers two years of free credit monitoring and identity-theft protection services. The FBI said it is investigating the intrusion.
The bureau "is working with the victim company in order to determine the nature and scope of this incident," an FBI spokesperson said in an e-mailed statement.
Dave Kennedy, the founder of cybersecurity firm TrustedSEC, said consumers can expect more health-care industry breaches to be disclosed. "There are probably a whole lot of other places that are just now discovering they were breached," he said.
Health insurers hold vast amounts of personal information, making them an attractive target for hackers. "There's so much value in this information," Kennedy said. State-sponsored attackers might be looking for data about government employees or contractors while other cyber-criminals may be hoping to sell the data to underground black markets for use in identity theft or medical fraud, he said.
Ellen Nakashima contributed to this report.
Correction: An earlier version of this story misstated the day the CareFirst BlueCross BlueShield announced the cyberattack; it was announced Wednesday.