Half a year after disclosing a cybersecurity incident, health and life insurer Aflac is now notifying roughly 22.6 million people that their personal data was stolen from the company's systems in June 2025.
Back in the summer, Aflac said that the attack on its US network, which was identified on June 12th, was caused by a “sophisticated cybercrime group,” but didn’t specify a name.
The insurer also explained it was unable to determine the total number of affected individuals until a review, which was in its early stages, was completed. Aflac also insisted its operations weren’t affected since file-encrypting ransomware wasn’t deployed.
It now seems that the investigation is over. Aflac has announced it has completed its internal probe into the potentially compromised data and has begun notifying affected individuals. It’s not good news.
“The review of the potentially impacted files determined personal information associated with customers, beneficiaries, employees, agents, and other individuals related to Aflac was involved,” said the insurer.
In another press release, Aflac said: “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved.”
The stolen information, Aflac confirmed, includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.
The insurer said it was providing affected clients with 24 months of free credit monitoring, identity theft protection, and medical fraud protection services.
Health insurers have been facing increased cybersecurity risks recently, with UnitedHealth's breach being a notable example, affecting more than 100 million people last year.
Aflac, a firm offering accident and pet insurance plans in the US and Japan, also said it wasn’t aware of its customer data being exploited but said the incident was part of a “campaign against the insurance industry.”
The insurer manages personal, medical, and financial data of more than 50 million policyholders.
Curious what others think about this story? Contribute your thoughts to the debate below.
Health insurers have been facing increased cybersecurity risks recently, with UnitedHealth's breach being a notable example, affecting more than 100 million people last year.
Incidentally, Google warned in June 2025 – right before the incident at Aflac – that Scattered Spider, a ransomware group, was shifting its attention from the retail sector to insurance companies.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked