In December 2013, a sophisticated cyberattack — widely attributed to a China-linked nation-state APT group believed to be the same threat actor responsible for the Anthem and Premera health insurance breaches — gained access to Excellus BlueCross BlueShield’s IT systems in Upstate New York. The attack went undetected for approximately 20 months. Excellus commissioned Mandiant to conduct a forensic investigation and discovered the breach in August 2015 during a proactive security assessment prompted by the high-profile Anthem and Premera disclosures. Approximately 10.5 million individuals were affected, including members of Excellus, Lifetime Health, The Medical Associates Health Plan of Western New York, and certain Blue Cross Blue Shield plans. Compromised data included Social Security numbers, dates of birth, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims information. Excellus notified HHS OCR and regulators in September 2015. Class-action lawsuits were filed. OCR resolved the investigation in January 2021 with a $5.1 million settlement. The three concurrent health insurer breaches (Anthem, Premera, Excellus) in 2014-2015 collectively exposed data for approximately 100 million Americans and were widely interpreted as a coordinated Chinese intelligence-gathering operation targeting health insurance records.