Insurance company Aflac based in Columbus, GA encountered a cyberattack in June 2025. The data breach report submitted on August 8, 2025 to the HHS’ Office for Civil Rights used a placeholder of 500 affected persons. After several months, Aflac confirmed that approximately 26,500,000 individuals had been affected by the data breach. Aflac provides supplemental health insurance protection for medical costs not included in a primary insurance plan. Aflac’s subsidiaries are located in the U.S. and Japan, and it has 50 million clients around the world.
Aflac detected suspicious activity inside its system on June 12, 2025 and controlled the attack within hours. Upon investigation, it was confirmed that several Aflac systems were compromised. Aflac stated that the attacker accessed several user accounts via social engineering, and mentioned the attacker could be associated with an identified cyber-criminal group; government law enforcement and third-party cybersecurity specialists have pointed out that this group might have been focusing on the insurance sector in particular.
Although that attacker was not identified in Aflac’s breach notice, it is probably the hacking group Scattered Spider that is recognized to have attacked the insurance sector at the beginning of 2025. Scattered Spider is a group of young English-speaking hackers with members mostly based in the U.S. and the U.K. This financially driven group is known to perform social engineering attacks for preliminary access. A warning was issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) regarding the group in October 2024 because of its threat on the HPH sector. Scattered Spider has formerly performed a social engineering campaign on hospital IT help support, campaigns attacking the insurance, business, and aviation sectors, and MSPs and IT providers.
Aflac announced the data breach in the summer of 2025 while still doing its investigation. Now, the confirmed breached data consists of members’ names, birth dates, addresses, government-issued ID numbers like Social Security numbers, driver’s license numbers, passport and state ID card numbers, medical data, and medical insurance data. The breached information pertains to clients, beneficiaries, staff members, agents, and other people connected to Aflac’s U.S. organization. Aflac has began sending notification letters to the impacted persons and is giving them free credit monitoring and identity theft protection services for two years. During the time of sending notification letters, there was no reported misuse of the stolen information.
The number of the affected clients in the United States is still uncertain, however, this seems to be one of the biggest healthcare data breaches in the U.S. for 2025. Because of the data breach, Aflac is facing over 20 class action lawsuits. Regulatory investigations are ongoing to find out whether the company was compliant with HIPAA and other state and national data privacy and security regulations.