CareFirst, which has a total of 3.4 million customers, said that the breach took place in June 2014 but was only recently discovered as part of security efforts put in place after other insurers were hacked.
Anthem Inc , the second-largest U.S. insurer, said early this year that the records of 80 million people were accessed by hackers. In May, Premera Blue Cross said that 11 million customers' information may have been exposed in a hack.
CareFirst said that the attackers accessed one database and could have potentially acquired member user names created by individuals to use CareFirst's website, names, birth dates, email addresses and member identification numbers.
CareFirst has blocked member access to these accounts and has requested members to create new user names and passwords.
The company said the database is also used by non-members that access CareFirst's websites and online services.
Mandiant, the technology company that conducted the review, found no indication of any other prior or subsequent attack or that other personal information was taken, CareFirst said.
The database did not include Social Security numbers, medical claims, employment, credit card or financial information.
© Thomson Reuters 2015