US insurance giant Aflac data breach has now been confirmed as one of the largest healthcare-related cyber incidents in recent years. The company revealed that hackers stole sensitive personal and health data belonging to about 22.6 million people. This disclosure follows an earlier notice in June, when Aflac acknowledged a cyberattack but did not reveal how many customers were affected.
At the time of the initial announcement, details were limited. Customers were told that unauthorized access had occurred, but the scope remained unclear. That uncertainty has now ended as millions begin receiving formal breach notification letters.
According to filings with U.S. state regulators, the attackers accessed deeply sensitive personal information. This includes full names, dates of birth, and home addresses. For many victims, the breach went further and exposed government-issued identification details.
Aflac confirmed that stolen records include driver’s license numbers, state ID cards, passport details, and Social Security numbers. This type of data is highly valuable to cybercriminals and can be misused for years. Identity theft, financial fraud, and impersonation scams are all real risks following breaches of this scale.
The breach also involved medical and health insurance information. While Aflac has not disclosed specific medical details, filings indicate that insurance-related health data was accessed. This elevates the seriousness of the incident, as health information is among the most sensitive data insurers hold.
In a filing with the Texas attorney general, Aflac said approximately 22.65 million people are now being notified. A separate filing with the Iowa attorney general added that the attackers may be linked to a known cybercriminal organization. Federal law enforcement and third-party cybersecurity experts reportedly reached that conclusion during the investigation.
Although Aflac did not name the group, cybersecurity analysts point to Scattered Spider as the likely culprit. This loosely organized hacking group was actively targeting insurance companies at the time of the breach. Its members are known for using social engineering rather than purely technical exploits.
Scattered Spider has a history of impersonating employees and manipulating help desk staff to gain system access. Once inside, the group typically escalates privileges and quietly steals large volumes of data. These tactics align closely with the patterns seen in the Aflac incident.
Despite the seriousness of the breach, Aflac has offered limited public commentary. A spokesperson did not respond to questions from TechCrunch. As a result, many details about how the breach occurred remain unknown.
The silence has raised concerns among privacy advocates. Transparency is often viewed as critical in incidents involving personal and health data. Without clear explanations, affected customers are left uncertain about the true level of risk.
The breach is particularly significant given Aflac’s size. The company reports serving around 50 million customers worldwide. While not all were affected, the compromised data represents a substantial portion of its customer base.
This attack was not an isolated event. Several insurers were breached around the same time. Erie Insurance and Philadelphia Insurance Companies also disclosed cyber incidents, pointing to a broader industry-wide campaign.
Security experts warn that insurance firms are prime targets. They store large volumes of personal, financial, and medical data in centralized systems. For attackers, a single breach can yield massive rewards.
For affected individuals, the fallout may last for years. Social Security numbers and ID documents cannot be easily changed. Health data adds another layer of exposure, making victims more vulnerable to targeted scams.
Aflac says it is notifying impacted customers in line with legal requirements. It has not yet detailed the full scope of support being offered. Many companies in similar situations provide credit monitoring or identity protection services.
Regulators are expected to closely examine the incident. Large-scale exposure of health and identity data often triggers deeper scrutiny of security practices. Any failures could lead to enforcement actions or penalties.
The Aflac data breach highlights a growing problem across the insurance sector. As systems become more digital, the attack surface expands. Cybercriminals are moving faster than many defenses.
How Aflac responds in the months ahead will be critical. Strong remediation, clear communication, and security upgrades will shape customer trust. For millions affected, the breach is not just a headline, but an ongoing personal risk.
