Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Insurer’s Hack Could Rank as Largest US Health Data Breach Reported in 2025
Aflac, the largest U.S. supplemental health insurance provider, is notifying 22.65 million people whose sensitive health and personal information, including Social Security numbers, was potentially compromised in a June data theft incident.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
As of Friday, Aflac’s count for the number of people affected by the breach was not yet posted on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals. Aflac submitted a HIPAA breach report about the incident to HHS’ Office for Civil Rights in August with a placeholder estimate of 500 people affected.
When and if the HHS OCR’s website is updated with Aflac’s latest estimate of 22.65 million people, the hacking incident will likely rank as the largest health data breach reported to U.S. federal regulators in 2025 (see: 2025 In Health Data Breaches and Predictions for 2026).
Security researchers had speculated that cybercriminal gang Scattered Spider was behind the attack on Aflac, as well as several other large insurers that were hit around the same time last year (see: Aflac: ‘Cybercrime Campaign’ Is Targeting Insurance Industry).
Aflac first disclosed the incident to the U.S. Securities and Exchange Commission in June, saying it was the victim of a “sophisticated cybercrime campaign” targeting insurers. The June Aflac attack came on the heels of attacks on two other large U.S. insurers since June 8, including Erie Indemnity Co. – which does business as Erie Insurance – and Philadelphia Insurance Companies (see: Two Insurers Say Ongoing Outages Not Ransomware-Based).
Aflac has not publicly commented on speculation that the attack on the Georgia-based company, as well as Erie Insurance and Philadelphia Insurance, were launched by Scattered Spider – which also heavily targeted the retail sector last year (see: Retail Sector in Scattered Spider Crosshairs).
Aflac in its breach notice said that on June 12, 2025, it detected suspicious activity on a limited number of its systems within its U.S. business. “Importantly, the security incident was contained within hours,” Aflac said. “Our systems were not affected by ransomware and remained operational.”
“Following detection of the security incident, Aflac promptly secured accounts identified as potentially impacted and took additional steps, including resetting passwords and further monitoring for signs of suspicious activity,” the company said.
Aflac’s investigation into the incident determined that an unauthorized actor obtained personal information from an Aflac system on June 12, 2025.
“The review of the potentially impacted files determined personal information associated with customers, beneficiaries, employees, agents and other individuals related to Aflac was involved,” the company said. Compromised files included names, contact information, claims information, health information, Social Security numbers and other personal information, Aflac said, noting that not every data element was present for every affected individual.
Aflac is offering affected individuals 24 months of complimentary credit monitoring, identity theft protection and medical fraud protection services. “Aflac is not aware of any fraudulent use of personal information as a result of this security incident,” the company said.
So far, about two dozen proposed class action lawsuits have been filed against Aflac involving the cyber incident and consolidated in a Georgia federal court.
The class action litigation alleges, among other claims, that Aflac was negligent in failing to safeguard plaintiffs and class members’ sensitive information against “foreseeable” threats, as well as breach of implied contract and unjust enrichment.
The litigation is seeking financial damages, as well as injunctive relief that includes requiring Aflac “to implement and maintain a comprehensive information security program designed to protect the confidentiality and integrity of the private information of plaintiff and class members,” and prohibiting the company from maintaining that sensitive information “on a cloud-based database.”
Aflac did not immediately respond to Information Security Media Group’s request for additional comment and details about the cyber incident.
Cybercrime Partnerships
As for Scattered Spider being speculated to be behind the attacks on Aflac and some other insurers, that gang appears to have connections to several other cybercrime groups, making definitive attribution difficult, some experts said.
Scattered Spider partnerships have been observed with other ransomware-as-a-service groups, including Lapsu$ and ShinyHunters, “further demonstrating how Scattered Spider leverages collaboration in general to conduct effective attacks,” said Tim Rawlins, senior adviser and director of security at cybersecurity consulting firm NCC Group.
“Exploring this matter is challenging, given that there is limited public information surrounding the internal dynamics between cybercriminals and their respective networks,” he said. “However, the prominence of the RaaS model, which focuses on outsourcing various areas of ransomware operations to affiliates, can provide a possible explanation into Scattered Spider’s connections with major RaaS gangs and the associated security implications.”