Data Breach Notification,
Data Security,
Fraud Management & Cybercrime
Insurer’s Breach Likely to Be the Largest Reported Health Data Breach in 2025
Aflac, the largest supplemental health insurance provider in the United States, has alerted 22.65 million individuals about the potential compromise of sensitive health and personal data, including Social Security numbers, stemming from a data theft incident in June.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
As of the latest update, Aflac’s breach statistics have not yet been reflected on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, which tracks incidents affecting 500 or more individuals. Aflac submitted a preliminary report to the Office for Civil Rights in August, initially estimating that 500 individuals were impacted.
When updated, Aflac’s estimated count of 22.65 million will likely classify the breach as the largest health data incident reported to U.S. federal authorities for 2025, a situation discussed in detail in the analysis titled 2025 In Health Data Breaches and Predictions for 2026.
Security experts have suggested that the cybercriminal group Scattered Spider may have orchestrated the attack on Aflac, as well as several other major insurers targeted around the same timeframe (refer to: Aflac: ‘Cybercrime Campaign’ Is Targeting Insurance Industry).
Aflac originally informed the U.S. Securities and Exchange Commission of the incident in June, describing it as a “sophisticated cybercrime campaign” targeting insurance companies. This breach occurred shortly after attacks on two other significant U.S. insurers—Erie Indemnity Co., operating as Erie Insurance, and Philadelphia Insurance Companies (see: Two Insurers Say Ongoing Outages Not Ransomware-Based).
While Aflac has refrained from commenting on speculation regarding Scattered Spider’s involvement, it’s notable that this group has previously targeted the retail sector (see: Retail Sector in Scattered Spider Crosshairs).
Aflac disclosed that on June 12, 2025, suspicious activity was detected on certain systems within its U.S. operations, which was apparently contained within hours. The company reported that its systems were not compromised by ransomware and remained operational during the incident.
Post-detection actions included securing at-risk accounts, resetting passwords, and increasing monitoring for suspicious activities. An investigation revealed that unauthorized access resulted in the compromise of personal data related to customers, beneficiaries, employees, and agents of Aflac.
Aflac confirmed the types of personal information impacted included names, contact details, claims data, health information, Social Security numbers, along with other personal identifiers, although not all data elements were necessarily present for every affected individual.
Aflac is providing 24 months of free credit monitoring, identity theft protection, and medical fraud protection services to those affected. The company maintained that it has seen no evidence of fraudulent use of compromised information in connection with this incident.
Currently, two dozen class action lawsuits have been filed against Aflac related to the breach, consolidated in a Georgia federal court. The complaints allege negligence in safeguarding sensitive data against foreseeable cyber threats, breaches of implied contract, and unjust enrichment.
The litigation seeks financial compensation and injunctive relief, including requirements for Aflac to implement a comprehensive information security program designed to protect the confidentiality and integrity of personal data. It also seeks to prevent the company from maintaining any sensitive information on a cloud-based database.
Aflac has yet to respond to inquiries from Information Security Media Group regarding additional details about the cybersecurity incident.
The Connections of Cybercrime
Regarding the speculation that Scattered Spider was behind the attacks on Aflac and other insurers, experts indicate that this group may have affiliations with various other cybercrime organizations, complicating efforts for definitive attribution.
Scattered Spider has shown partnerships with other ransomware-as-a-service entities, such as Lapsu$ and ShinyHunters, which illustrates how they leverage collaboration to enhance the effectiveness of their attacks, according to Tim Rawlins, senior adviser and cybersecurity director at NCC Group.
Given the complexity and limited public information about the inner workings of cybercriminal networks, understanding these dynamics remains challenging. However, the prevalence of the RaaS model, which allows for outsourced ransomware operations, provides some insight into Scattered Spider’s connections with major ransomware groups and the resultant security challenges.
