The Atlanta Journal-Constitution reported in Tuesday's editions that the letters were sent last week by Blue Cross and Blue Shield of Georgia. They include the patient's name and ID number, the name of the medical service provider and the amounts charged and owed.
Company spokeswoman Cindy Sanders said "a small percentage" of the letters also contained Social Security numbers.
State Insurance Commissioner John Oxendine said the matter is "very, very serious."
He has ordered the company to give written notice to policyholders whose names were on the Explanation of Benefits letters and compile a list of names of those who mistakenly received the forms. He also is requiring the company to give a year of free credit monitoring to all affected customers.
Company officials said the problem was caused by a change in the computer system. The problem has been fixed, officials said.
Blue Cross, which has about 3 million policyholders in Georgia, is removing all Social Security numbers from mailings, Sanders said.
Registered nurse Rhonda Bloschock of Atlanta was shocked when she received letters for nine different Blue Cross customers in the mail Friday. She called the mistake a "serious privacy breach."
The federal Health Insurance Portability and Accountability Act, passed in 1996, makes it illegal in most cases to disclose patients' medical information without their permission.