Aflac Confirms 22.6 Million Affected in June Data Breach

U.S. insurance giant Aflac has begun notifying 22.6 million people that their personal and health information was stolen during a cyberattack in June 2025. The breach, attributed to the Scattered Spider threat actor collective, represents one of the largest healthcare-adjacent data thefts in U.S. history.

TL;DR

• What happened: Hackers breached Aflac's systems in June 2025 and exfiltrated personal data including SSNs and health information
• Who's affected: 22.65 million customers, beneficiaries, employees, and agents across Aflac's U.S. business
• Severity: High - sensitive health data and government IDs stolen
• Action required: Affected individuals should enroll in Aflac's free identity protection and monitor credit reports

What Data Was Stolen?

According to filings with the Texas Attorney General, the stolen data includes names, dates of birth, home addresses, government-issued ID numbers (passports and state IDs), driver's license numbers, Social Security numbers, and medical and health insurance information. The breach affected customers, beneficiaries, employees, agents, and other individuals associated with Aflac's U.S. operations.

Texas alone saw over 2 million residents impacted. Given Aflac's stated customer base of approximately 50 million people, this incident affected roughly 45% of their total U.S. footprint.

How Did the Attack Happen?

The security incident began on June 12, 2025, and Aflac claims it was contained within hours of detection. The company completed its investigation on December 4, determining which files contained information requiring notification under applicable law.

While Aflac hasn't publicly named the attackers, security researchers point to Scattered Spider as the likely culprit. The loosely organized collective of primarily young, English-speaking hackers was actively targeting the insurance industry during the summer of 2025. Aflac was one of several insurers compromised around the same time, alongside Erie Insurance and Philadelphia Insurance Companies.

Scattered Spider gained notoriety for social engineering attacks against major corporations, including the 2023 MGM Resorts breach that caused an estimated $100 million in damages. The group specializes in SIM-swapping, phishing, and help desk manipulation to gain initial access.

Why the Six-Month Delay?

The gap between the June breach and December disclosure has drawn criticism. Aflac waited until December 22 to file with regulators and begin notifications—over six months after the initial incident. The company stated it needed time to conduct a "detailed review of potentially impacted files" before determining notification obligations.

This timeline has implications. Victims have been exposed to identity theft risk for half a year without knowing their data was compromised. The delay also complicates incident response for affected individuals who may have already experienced fraudulent activity without understanding the source.

Why This Matters

Healthcare and insurance data commands premium prices on dark web markets because it enables medical identity fraud, insurance claim manipulation, and targeted phishing campaigns. Unlike credit card numbers that can be changed, medical histories and Social Security numbers are permanent—making this type of breach particularly damaging.

The Scattered Spider connection also signals a broader trend. The group has shifted from targeting casinos and tech companies to softer targets in financial services and insurance. Organizations in these sectors should anticipate similar campaigns.

Recommended Actions for Affected Individuals

1. Enroll in identity protection - Aflac is offering two years of complimentary identity protection services
2. Place fraud alerts - Contact one of the three major credit bureaus to place a fraud alert on your file
3. Consider a credit freeze - This prevents new accounts from being opened in your name
4. Monitor explanation of benefits - Watch for medical procedures or prescriptions you didn't receive
5. Review health insurance claims - Check for fraudulent claims filed using your information

Frequently Asked Questions

How do I know if I'm affected by the Aflac breach?

Aflac is sending notification letters to affected individuals. If you've been an Aflac customer, beneficiary, employee, or agent at any point, you may be impacted. Contact Aflac directly or watch for a notification letter.

What should I do if I suspect medical identity theft?

Request your medical records from healthcare providers and review them for procedures or prescriptions you didn't receive. Report discrepancies to your insurer and file a complaint with the FTC at IdentityTheft.gov.

Is this related to ransomware?

Aflac stated it did not experience a ransomware intrusion. The attack appears to have been focused on data exfiltration rather than system encryption.