Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.
Anthem, the country's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.
It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.
It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.
Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.
Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.
Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.
Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.
Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.
Binns said the company still believes the hacked data were restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.
Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.
(Reporting by Caroline Humer; Additional reporting by Jim Finkle in Boston; Editing by G Crosse, J Benkoe and Cynthia Osterman)