Health insurer Anthem Inc. reported late Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.

Anthem, which is the number-two health insurer in the U.S. with 37.5 million U.S. customers, said that the breach did not appear to involve medical information or financial details such as credit card or bank account information, but the “very sophisticated attack” included access to names, birthdays, Social Security numbers, street addresses, email addresses and employment information, including income data.

The insurer reported that it immediately made every effort to close the security vulnerability and reported the attack to the FBI. Cybersecurity firm FireEye Inc. said it has been hired by Anthem to investigate further.

An early estimate reported by the Wall Street Journal said it was suspected that the records of tens of millions of people had been taken, making it likely the largest data breach involving a U.S. health insurer.

According to Reuters, “Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.”

Anthem said that it would send a letter and email to everyone whose data was stored on the hacked database; the company will offer to provide a credit monitoring service, and it has set up an informational website at www.anthemfacts.com.