Insurance giant Aflac has confirmed that a June 2025 cyberattack resulted in the theft of personal and health information belonging to approximately 22.65 million individuals, making it one of the largest healthcare data breaches of the year. The Columbus, Georgia-based company has begun notifying affected customers, beneficiaries, employees, and agents whose data was compromised.

The breach was discovered on June 12, 2025, when Aflac identified suspicious activity within its US network. The company attributed the intrusion to a sophisticated cybercrime group that gained access to multiple user accounts through social engineering techniques. While Aflac has not officially named the attackers, security researchers believe the notorious Scattered Spider hacking collective may be responsible, given the group's known targeting of the insurance industry.

The scope of stolen data is extensive and includes customer names, dates of birth, home addresses, Social Security numbers, and government-issued identification numbers such as passports, state IDs, and driver's licenses. More concerning for victims, the breach also exposed medical and health insurance information, creating potential risks for medical identity fraud in addition to traditional identity theft.

Aflac is providing affected individuals with 24 months of complimentary credit monitoring, identity theft protection, and medical fraud protection services, with an enrollment deadline of April 18, 2026. However, the company already faces legal consequences, with a class action lawsuit filed in federal court alleging data negligence, breach of contract, and privacy violations. Additionally, a bipartisan pair of US senators has demanded greater transparency from Aflac's leadership regarding the incident.

The breach highlights the ongoing vulnerability of healthcare and insurance organizations to social engineering attacks. Scattered Spider, if confirmed as the perpetrators, is known as a financially motivated collective of young English-speaking hackers primarily located in the United States and United Kingdom who specialize in sophisticated social engineering campaigns to gain initial network access.