Overseas hackers gained access to confidential information belonging to tens of thousands of students and alumni at UC Berkeley and Mills College after breaking into computer databases at the Berkeley campus' health services center, officials said Friday.

The databases contained 97,000 Social Security numbers, health insurance information and nontreatment medical information, such as immunization records, names of doctors whom people may have seen and dates of medical visits, said Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and its chief information officer.

What remains unclear is whether the thieves were able to create an entire identity for fraudulent purposes. Many people's personal data were housed in different areas of the computer system, and investigators don't know whether the hackers were able to match up the different types of data - such as a name with a Social Security number.

No students have reported being the victims of identity theft, officials said.

University officials stressed that hackers had not obtained medical records - including diagnoses, treatments and therapies - because they are stored in a separate system.

The hackers, primarily from China and elsewhere in Asia, had access to the information for six months before they were discovered. The breach exposed the records of 160,000 people, of whom 97,000 had Social Security numbers included in the database, officials said.

The university is contacting potential victims, who should consider placing a fraud alert on their credit reporting accounts, UC said.

Among those at risk are 3,400 students at Mills College in Oakland who received, or were eligible to receive, health care at UC Berkeley.

Hackers had access to records of students and alumni at UC Berkeley dating back to 1999 and current and former Mills students going back to 2001. Spouses and parents are also vulnerable if they were linked to students' insurance coverage.

The hackers broke into the computer system Oct. 9 and were not discovered until April 9, when administrators performing routine maintenance came across an "anomaly" in the system and found taunting messages that had been posted three days earlier, UC said.

Investigators suspect that the hackers accessed a public Web site and then bypassed additional secured databases stored on the same server, Waggener said. But investigators have not determined how sophisticated the operation was.

Waggener said that although the data should have been better protected, "we are an open network. We are an open campus."

The breach didn't sit well with Justin Kidd, 29, a student at UC Berkeley's School of Law. He said he was annoyed that officials had waited until Friday to notify him that his information had been exposed, and he still doesn't know "what they've opened and what they might open in the future."

"Their negligence has shifted all this burden on me," Kidd said. "As a young person, I don't have a house, I don't have established credit. It's really scary and frustrating, and I feel a little bit betrayed by Cal."

Jim McCartney, a Washington, D.C., identity theft and privacy consultant, warned that many identity thieves manage to cover their tracks and that some fraudulent transactions might not be noticed for at least a year.

McCartney excoriated UC Berkeley officials, saying, "They should be taking the basic steps to covering all the bases, and it sounds like they're not. That's completely unacceptable. They need to have better security and better access-control rules."

The campus is sending out e-mails and letters to potential victims of the hacking. People with questions can call a hot line, (888) 729-3301.