Aflac Data Breach: PHI of At Least 13.9 Million Individuals Compromised
We previously reported that the Aflac data breach had affected 22.65 million individuals worldwide; however, it was unclear exactly how many of those individuals were in the United States or how many individuals had protected health information (PHI) compromised in the incident. PHI is personally identifiable information related to healthcare that is afforded additional protections under the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals and for the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to be notified about a data breach within 60 days of the discovery of a breach. If the number of affected individuals has not been determined by the breach reporting deadline, OCR requires an estimate to be provided for the number of affected individuals. Many entities use a placeholder figure of 500 or 501 affected individuals in such cases. Aflac reported the data breach using a 500 placeholder figure.
Aflac has recently provided an update to OCR confirming that the protected health information of at least 13,924,906 individuals was exposed or stolen. That number could change again as the investigation proceeds, but as it stands, the Aflac data breach is the largest confirmed healthcare data breach of 2025. It was not, however, the largest healthcare data breach of the year, an unenviable accolade earned by the HIPAA business associate Conduent Business Services. The scale of that data breach has yet to be confirmed, but it is known to have affected more than 25 million individuals.
December 29, 2025: Insurance Giant Aflac Confirms 22.65 Million Individuals Affected by June Cyberattack
The Columbus, GA-based insurance giant Aflac experienced a cyberattack in June 2025 that was reported to the HHS’ Office for Civil Rights on August 8, 2025, using a placeholder figure of 500 affected individuals. It has taken several months; however, Aflac has now confirmed that the data breach was substantial, affecting approximately 26,500,000 individuals. Aflac is a Fortune 500 company that specializes in supplemental health insurance coverage for medical expenses not covered by a primary insurance provider. Aflac has subsidiaries in the United States and Japan, and around 50 million customers worldwide.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Suspicious activity was identified within its network on June 12, 2025. The intrusion was contained within hours, and the investigation confirmed that multiple Aflac systems had been compromised on June 12, 2025. Aflac confirmed that the threat actor accessed multiple user accounts through social engineering, and said the threat actor “may be affiliated with a known cyber-criminal organization; federal law enforcement and third-party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large.”
While that threat actor was not named in the Aflac breach notice, it is likely to be the hacking group Scattered Spider, which is known to have targeted the insurance industry earlier this year. Scattered Spider is a financially motivated collective of young English-speaking hackers with members primarily located in the United States and the United Kingdom. The group is known to conduct social engineering attacks for initial access. The HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about the group in October 2024 due to the threat posed to the healthcare and public health sector. The group has previously conducted a social engineering campaign on hospital IT help desks, campaigns targeting the aviation, insurance, and retail sectors, as well as MSPs and IT vendors.
When the data breach was first announced in the summer, Aflac was still conducting its investigation. It has now been confirmed that the compromised data includes members’ names, addresses, dates of birth, government-issued ID numbers such as passport and state ID card numbers, driver’s license numbers, Social Security numbers, medical information, and health insurance information. The compromised data relates to customers, beneficiaries, employees, agents, and other individuals in Aflac’s U.S. business. Aflac has started issuing notification letters to the affected individuals and is offering them complimentary credit monitoring and identity theft protection services for 24 months. At the time of issuing notification letters, Aflac was unaware of any misuse of the stolen data.
It is currently unclear how many of the affected customers are in the United States, but this appears to be one of the largest U.S. healthcare data breaches of the year, if not the largest healthcare data breach of 2025. More than 20 class action lawsuits have been filed in response to the data breach, and regulatory investigations have been initiated to determine if the company was compliant with state and federal data privacy and security laws.
August 28, 2025: Senators Demand Answers from Aflac About June 2025 Cyberattack
A bipartisan pair of senators has written to Aflac Chairman and CEO Daniel P. Amos seeking further information about a recently disclosed cyberattack and data breach. Sen. Bill Cassidy (R-La.), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Margaret Wood Hassan (D-N.H.), are requesting greater transparency about the incident.
Aflac disclosed the incident on June 12, 2025, in a filing with the U.S. Securities and Exchange Commission (SEC), and subsequently issued a press release confirming that customers’ personal and protected health information was compromised in the incident. The senators have requested further information about the incident, including the security measures in place prior to the cyberattack, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated at Aflac, which federal agencies were notified about the incident, and when those notifications were issued.
Aflac has stated that claims and health information were compromised in the incident. The senators want to know what steps have been taken to identify the information that was compromised, when the steps to identify the affected information will be finalized, how Aflac is proactively communicating with the individuals potentially affected by the incident, and what steps have been taken or will be taken in response to the cyberattack to improve its security protocols.
The senators also want to know what additional reporting, beyond the requirements of the Health Insurance Portability and Accountability Act, Aflac commits to doing for individuals whose information was impermissibly disclosed in the incident. Aflac has been given until September 5, 2025, to respond and provide answers to the questions.
June 23, 2025: Aflac Latest Insurer to Suffer Cyberattack and Data Breach
The Columbus, Georgia-based insurance giant Aflac has recently announced that it has fallen victim to a cyberattack. Aflac is the largest provider of supplemental insurance in the United States and claims to provide financial protection for more than 50 million people worldwide.
Aflac disclosed the cyberattack in a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), explaining it had initiated its cybersecurity incident response protocols and contained the intrusion within hours. The attack did not affect business operations, and it has continued to underwrite policies, review claims, and otherwise service customers as usual.
Aflac has engaged the services of leading cybersecurity experts to support its own breach response efforts, and the investigation into the attack is ongoing. Aflac said ransomware was not deployed in the incident; however, data does appear to have been exposed. A review of the potentially exposed files is underway. At this early stage of the file review, it is not possible to determine how many individuals have been affected.
Aflac said the exposed data likely includes names, claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, and regulators will be notified about the extent of the data breach. “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” explained Aflac in a press release about the cybersecurity incident. “This was part of a cybercrime campaign against the insurance industry.” The data breach was reported to the HHS’ Office for Civil Rights on August 8, 2025, although a placeholder figure of 500 was used for the number of affected individuals. That figure will be updated when the file review is completed and all affected individuals have been identified.
The cybercrime campaign has involved attacks on other large insurers in the United States, including the Pennsylvania-based insurers Erie Insurance Group and Philadelphia Insurance Companies. Similar to the Aflac attack, these two incidents did not involve file encryption, only data theft. There has been no attribution so far, although the timing of these attacks suggests a single threat actor is behind all three incidents.
The likely culprit is a threat group known as Scattered Spider, which is known to target large companies in one sector at a time. Recently, Scattered Spider has targeted the retail sector, with its attacks including the UK retailers Marks & Spencer, Co-op, and the Harrods luxury department store, and U.S. attacks on Victoria’s Secret and United Natural Foods, which supplies the Amazon-owned grocery chain Whole Foods.
Researchers at the Google Threat Intelligence Group issued a warning early last week that the group has pivoted to the insurance industry, and ReliaQuest warned that the group is targeting IT service providers and Managed Service providers to attack their downstream clients. Google Threat Intelligence Group researchers recently confirmed that the recent attacks on the insurance sector show the hallmarks of a targeted Scattered Spider campaign.
Scattered Spider typically breaches company networks and deploys ransomware after data exfiltration, but ransomware was not deployed in these attacks. It is possible that the attacks were detected and blocked before ransomware was deployed, but the group may have simply changed tactics, focusing on data theft and extortion alone. While the perpetrator has yet to be confirmed, it is clear that the insurance industry is being targeted. All insurers should remain on high alert as there could well be further attempted cyberattacks on the sector.
