U.S. insurance giant Aflac admitted Tuesday that cybercriminals stole personal and health information belonging to approximately 22.65 million individuals, a wide-ranging theft that shows just how appealing insurers have become to data-hungry threat groups.
Scope of Personal and Health Data Exposed by Aflac
In regulatory filings to state attorneys general, including in Texas, the company said the stolen data included names, dates of birth, home addresses, and government-issued identification numbers like driver’s licenses and passports, as well as Social Security numbers. Aflac also acknowledged that medical and health insurance information was exposed, which is a type of data that can be used for medical identity theft and false claims.
According to its public materials, Aflac has approximately 50 million customers, so the incident would affect around 45 percent of its stated customer base. The insurer said it has also started notifying affected individuals and is working with law enforcement and third-party cybersecurity experts.
Suspected Threat Actor and Targeting of Insurers
In a filing to the Iowa attorney general, Aflac said the intruders are suspected of being part of a cybercriminal ring that is well known and believed to be attacking the insurance industry in aggregate. Though the company did not publicly attribute the group, security researchers and federal investigators have blamed collectives like Scattered Spider for devastating intrusions throughout finance and insurance that often involve social engineering along with identity-focused attacks.
Aflac’s disclosure is one of several insurer breaches unveiled around the same time, including breaches at Erie Insurance and Philadelphia Insurance Cos. The pattern is evident: Insurers are the holders of rich lodes of personally identifiable information and detailed health data, a treasure trove that makes them prime targets for all kinds of credential theft, extortion, and resale operations.
Why Insurer Breaches Are So Expensive for Consumers
Health and insurance records have long-lasting value to criminal markets because they can be used for numerous types of fraud: opening lines of credit, submitting false insurance claims, redirecting benefits, and creating convincing phishing lures. While you can change passwords, identifiers like Social Security and driver’s license numbers aren’t easy to change.
Healthcare-related events have always dominated the breach cost rankings in industry analyses because of regulatory compliance requirements, notification and remediation costs, and risk of long-tail litigation. IBM’s Cost of a Data Breach reports have consistently found healthcare to be the most costly industry to clean up, and federal regulators stress that medical identity theft can take years to unravel.
For insurers, the fallout unfolds far beyond incident response. Claims systems, broker portals, and third-party administrators are heavily intertwined, so a breach of one sends ripples through vendor ecosystems. That’s why regulators and the National Association of Insurance Commissioners have been promoting adoption of the Insurance Data Security Model Law, which prescribes risk assessments, incident response planning, and prompt notice to overseers.
What Affected People Should Do Now to Protect Data
- Place a security freeze with Equifax, Experian, and TransUnion. A freeze is free and prevents new credit checks, the most effective way to stop accounts from being opened in your name. If a freeze is not possible, add a fraud alert so lenders take extra steps to verify applications.
- Review EOB statements and insurer portals for unknown providers or claims. If you spot treatment that wasn’t rendered to you, call the insurer’s fraud unit and request a claims history immediately.
- Consider getting an IRS Identity Protection PIN to mitigate the risk of fraudulent tax refund claims resulting from stolen SSNs.
- Be wary of follow-on phishing. Attackers frequently weaponize breach news to impersonate the company, a bank, or a health provider. Don’t click links in unsolicited messages; instead, visit the official website or use the customer service number listed on your policy documents.
Regulatory and Legal Fallout From the Aflac Breach
Large-scale data events at insurance companies often bring state insurance departments and attorneys general to their doors with possible enforcement action related to data security, focused on overall expectations. Civil litigation is also common. Past health insurer breaches have led to large class-action settlements and regulatory fines, including agreements in the tens of millions with federal privacy regulators.
Acknowledgments by Aflac that law enforcement and external cybersecurity firms have been engaged allude to a multifaceted response, potentially combining threat eradication, forensic review, and long-term hardening across identity/access/vendor risk. The proof will be in how completely the company enhances controls to prevent credential theft and lateral movement—tactics that have been at the heart of recent attacks on financial and insurance firms.
With tens of millions impacted and sensitive information exposed, this breach could be one of the most impactful in insurance history.
The top priority should focus on clear communication and consumer protection now, in addition to a continued push for improved authentication and privileged access management capabilities, third-party accountability, and oversight throughout the insurance ecosystem.
