U.S. insurance giant Aflac said it was reaching out to 22.65 million individuals after the company discovered that their personal information as well as health details had been stolen following a cyberattack, among the biggest known data breaches flaring up inside the insurance segment for this year.
The disclosure represents a dramatic escalation from the company’s previous announcement that customer data had been accessed, but with no definitive statement on how many might have been affected.
What Aflac says was stolen in the recent data breach
In regulatory filings with state officials, including the Texas Attorney General, Aflac said the stolen data might include names, birth dates, home addresses and government ID numbers like driver’s license and passport details; Social Security numbers; as well as medical and health insurance information. That combination of identifying information and health-related information is associated with a heightened risk of identity theft and medical fraud, in which criminals could file false claims or open accounts using stolen identities.
Aflac, which claims to have some 50 million customers worldwide, said it had started direct notifications. The company’s filings also say that federal law enforcement and outside cybersecurity experts have been involved, and that the attackers may be associated with a known cybercriminal group, DoppelPaymer, which has targeted insurers.
Suspected threat actor and targeted industry pattern
Aflac did not publicly identify the attackers, but investigators later referred to a group they said was targeting insurance companies around the same time. Security analysts have highlighted Scattered Spider as a probable fit based on methodology and targeting, though attribution in cyber conflicts seldom is assured. At about the same time, other insurers like Erie Insurance and Philadelphia Insurance Companies said they had also been breached, indicating a coordinated assault on the sector.
Insurers are a ripe target because they hold a complete body of information on an individual — their financial identifiers, medical policy information and claims history. Sixty-eight percent of breaches included a human element, such as social engineering and stolen credentials, which were common tools used by those that hunt for access to sprawling customer databases, according to Verizon’s most recent Data Breach Investigations Report.
Regulatory stakes for health and data after the breach
Depending on the affected systems and nature of health information involved in the incident, such an incident may also implicate obligations under federal health privacy rules in addition to state breach-notification laws. Insurers also are subject to the Gramm-Leach-Bliley Act protections for consumer financial information, and a patchwork of state insurance cybersecurity requirements modeled on the NAIC Insurance Data Security Model Law, with some states like New York imposing their own strict cybersecurity regulations.
Regulators, for example, will be considering how the attackers got in (or out), if multi-factor authentication and least-privilege access were followed, and the velocity of detection — not to mention how well you contained further carnage once an infection or leak was discovered. According to IBM’s latest worldwide study, the average cost of a data breach is around $4.88 million. Medical-related incidents are still the most expensive in terms of notification costs, legal fees, remediation expenses and long-tail fraud.
What affected individuals should watch for after the breach
This mix of SSNs and government ID numbers creates long-term fraud opportunities that can last for years. Consumers who receive a notice should consider the following:
- Place a credit freeze with the three big bureaus.
- Review explanation-of-benefits statements and insurer portals for unfamiliar claims.
- Check IRS guidance on obtaining an Identity Protection PIN to help ward off tax-related identity theft.
Medical identity theft may present as:
- Claim denials for services not received.
- Bills for services the victim did not receive.
- Discrepancies in record-keeping or statements of benefits.
Therefore, requesting a statement of accounting for benefits and addressing inaccuracies is important.
Through Aflac’s notification program, impacted individuals will receive the particularized information concerning their data, incident timeline and the availability of support services. People should be cautious about any subsequent outreach, as phishers frequently leverage significant breaches to collect more credentials.
Why this breach matters for insurance and policyholders
For insurers, the business risk is one that goes beyond regulatory fines. When data theft happens on a massive scale, claim fraud can escalate, reserves can become even more of an uncertainty and relationships between employers and brokers who count on claims actions being taken in a timely fashion with accurate information may be pushed to toxic levels. With the increasing dependence on third-party platforms and cloud providers, the attack surface expands, with identity management, vendor risk assessments and quick detection and response mechanisms becoming board-level imperatives.
What today’s revelation reinforces is a long-standing lesson in insurance: data security is product integrity. The insurance industry’s cyber defense posture — and how quickly it can harden identity controls and minimize data exposure — will be gauged by the real-world consequences for policyholders, more than 22 million of whom have been touched by the Aflac breach.
