New York insurer Excellus Blue Cross and Blue Shield has experienced a sophisticated cyberattack by hackers who may have gained access to over 10 million personal records.

Excellus discovered the attack on Aug. 5 and an investigation determined that it occurred on Dec. 23, 2013, according to a statement from Christopher Booth, the insurer's CEO. The hackers are believed to have had access to customers' names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification, financial account information and claims information, which would likely include medical data.

The attack affected about 7 million Excellus members and 3.5 million members of its non-Blues subsidiary, Lifetime Healthcare. 

Excellus has notified the FBI and is cooperating with the bureau's investigation.

“We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack,” Booth said.

The incident also affects members of other Blues plans who sought treatment in Excellus' 31-county upstate New York service area as well as individuals who do business with the insurer and have provided their financial account information or Social Security numbers.

An investigation by Excellus has not determined that any data was removed from the insurer's systems, and is there no evidence the compromised data has been used fraudulently.