Hackers, possibly from Asia, have stolen about a decade’s worth of personal information on current and former UC-Berkeley students, the university announced Friday.

The breaches involved records dating to 1999 at the school’s health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians.

No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked.

The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services.

About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university’s associate vice chancellor for health and human services.

“What’s been taken is bits of data that the thief might put together into an identity,” he said.

The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed.

UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information.

The thefts were discovered about a month ago, but system administrators did not realize the breadth of the attack until April 21.

The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university’s associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said.

“You should think of it as a public building,” Waggener said. “They got into the building properly, but then they broke into secure areas.”

Administrators at Mills College, which contracts with UC-Berkeley for health services, declined to comment.

Friday’s announcement shocked and dismayed students.

“We’re all young people and we don’t have a lot of credit established,” said UC-Berkeley law student Justin Kidd. “That’s really frightening to someone in my situation.”

Kidd also said he was angry that the university would not pay for ongoing credit monitoring. The school recommended that affected students and alumni sign up for free monitoring, which expires every 90 days.

“I’ve got to do that every 90 days until God knows when,” Kidd said.

Thieves worldwide have set up black markets to sell stolen data, said John Mitchell, a Stanford University computer-science professor. Asia, Eastern Europe and Nigeria have particularly active hackers, he said.

But the taunting messages left by the hackers who targeted Berkeley may indicate they are amateurs, Mitchell said.

“If your intent is to steal information and sell it on the black market, you’re probably not going to call attention to yourself like that,” he said.

“It could be that these are kids.”