Excellus BlueCross BlueShield, a Rochester, New York-based health insurer covering approximately 3.5 million members in upstate New York, disclosed on September 10, 2015 that attackers had gained access to its IT systems as early as December 2013 — remaining undetected for approximately 20 months until Excellus engaged Mandiant to conduct a proactive forensic assessment in August 2015 (prompted by the high-profile Anthem and Premera breaches earlier in 2015). Approximately 10.5 million individuals were affected, including current and former Excellus plan members, employees, and individuals whose employers use Excellus as their health plan. Exposed data included names, dates of birth, Social Security numbers, member identification numbers, financial account information, claims data, and health plan enrollment information. The same China-linked domain registrant infrastructure identified in the Anthem, Premera, and CareFirst breaches was also identified in the Excellus intrusion, suggesting a coordinated multi-target APT campaign against U.S. health insurers. Breach investigation and notification costs exceeded $17.3 million. Excellus settled a multistate investigation for approximately $5.1 million.