Aflac Alerts 22.6 Million Individuals About June Data Breach

Aflac, the premier supplemental health insurance provider in the U.S., is alerting approximately 22.65 million individuals that their sensitive personal and health information, including Social Security numbers, may have been stolen in a data breach that occurred in June 2025. The company disclosed this information in a recent update.

At present, Aflac’s reported figures regarding the breach have not yet been reflected in the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, which tracks health data breaches involving 500 or more affected individuals. Initially, the company filed a HIPAA breach report to the HHS Office for Civil Rights in August, projecting that 500 individuals were impacted.

Once the HHS OCR updates its records to include Aflac’s estimation of 22.65 million affected individuals, this breach could be classified as the most significant health data breach reported to federal authorities in 2025. Security experts suspect that the cybercriminal group Scattered Spider may be involved in the attack on Aflac, which coincided with similar breaches at other major insurers during the same period.

Aflac initially reported the incident to the U.S. Securities and Exchange Commission in June 2025, describing it as a “sophisticated cybercrime campaign” targeting insurance companies. This incident follows a series of attacks on large insurers, including Erie Indemnity Co. and Philadelphia Insurance Companies. While Aflac has yet to confirm any links to Scattered Spider, the group’s operations have previously targeted various sectors, including retail.

According to Aflac’s breach notification, the company detected unusual activity within its U.S. operations on June 12, 2025, and contained the incident within hours. Aflac emphasized that ransomware was not deployed against its systems. The investigation revealed that an unauthorized party obtained personal data, with the breach affecting not only customers but also employees and other affiliates. Compromised information encompasses names, contact details, claims data, health-related information, and Social Security numbers, although not every data element applies to every affected individual.

In response, Aflac is providing 24 months of free credit monitoring, identity theft protection, and medical fraud protection services to those affected. The company has stated that it is not aware of any fraudulent activity linked to this security incident at this time. However, a series of proposed class action lawsuits against Aflac have emerged, alleging negligence in safeguarding sensitive data and other claims related to data protection violations.

The civil litigation seeks both financial restitution and injunctive relief, which would mandate Aflac to implement a robust information security program designed to safeguard sensitive private information, as well as bar the company from retaining sensitive data in cloud-based databases.

As speculation grows around Scattered Spider’s involvement, experts note that the group has formed alliances with various cybercrime entities, complicating definitive attribution for the attacks. Connections with ransomware-as-a-service adversaries, including Lapsu$ and ShinyHunters, highlight the collaborative nature of these attacks, as pointed out by cybersecurity analyst Tim Rawlins. This collaboration underscores the need for heightened vigilance and advanced security measures in the face of evolving cyber threats.

For business owners, this incident serves as a stark reminder of the vulnerabilities inherent in handling sensitive information, reinforcing the necessity for comprehensive cybersecurity strategies. Utilizing frameworks such as the MITRE ATT&CK Matrix can aid in identifying relevant tactics—such as initial access, exploitation of vulnerabilities, and data exfiltration—that adversaries may employ in similar attacks. Continued awareness and proactive measures are critical as organizations navigate an increasingly perilous cyber landscape.