TL;DR: Aflac, America's largest supplemental health insurer, confirmed that a June 2025 cyberattack exposed personal and health data of 22.65 million people. Social Security numbers, medical records, driver's licenses, and government IDs were stolen. Cybersecurity researchers link the attack to Scattered Spider, the same gang behind attacks on MGM, Caesars, and multiple insurance companies. Aflac knew in June. They filed with the SEC in June. But they didn't finish telling victims until late December 2025. Two dozen class action lawsuits are already in play.

What Happened

On June 12, 2025, Aflac detected unauthorized access to its U.S. network. Attackers used social engineering (calling in and pretending to be employees) to get past the company's defenses [1].

No ransomware was deployed. No systems were shut down. The attackers didn't need to be loud about it. They just grabbed files and left.

Those files contained data on 22.65 million people: current and former customers, beneficiaries, employees, agents, and anyone else whose records happened to be sitting on the compromised systems [2].

What Was Stolen

According to filings with the Texas Attorney General, the stolen data includes [3]:

  • Full names and dates of birth
  • Home addresses
  • Social Security numbers
  • Driver's license numbers
  • Government-issued identification numbers
  • Medical information
  • Health insurance information

That's the full identity theft starter kit, plus your health records on top. Your name, where you live, your SSN, and what conditions you've been treated for, all in one package.

Scattered Spider Did This

Aflac hasn't officially named the attackers. What they did say is that the breach was part of a "campaign against the insurance industry" [4].

Cybersecurity researchers aren't being so coy. Multiple firms have linked this attack to Scattered Spider, also tracked as Octo Tempest and UNC3944 [5].

If that name rings a bell, it should. This is the same group that took down MGM Resorts and Caesars Entertainment in September 2023. They're an English-speaking cybercriminal network that specializes in one thing: talking their way into companies.

Their playbook is simple and devastating:

  • Call IT help desks pretending to be employees
  • Buy employee credentials on the black market
  • Send SMS phishing messages to staff
  • Execute SIM swaps to intercept multi-factor authentication codes

Around the same time Aflac was hit, Google's Threat Intelligence Group warned that Scattered Spider was specifically targeting insurance companies. Erie Insurance, Philadelphia Insurance Companies, and Scania Financial Services all reported cyberattacks during the same period [6].

Since the attacks, law enforcement has taken action: a leak site was seized, and two members were arrested in the UK. A DOJ complaint unsealed in September 2025 revealed the group extorted at least $115 million from dozens of victims over three years [7].

The Six-Month Drip

Here's the timeline that should make you angry:

  • June 12, 2025: Aflac detects the breach
  • June 20, 2025: Files with the SEC, telling investors
  • August 8, 2025: Reports to HHS Office for Civil Rights, with a placeholder figure of just 500 affected individuals
  • December 4, 2025: Investigation "concludes"
  • Late December 2025: Finally confirms 22.65 million affected and begins mass notification

Six months from breach to disclosure. Wall Street knew before you did. The SEC filing went out eight days after the breach. Your notification letter? That took half a year.

Meanwhile, your SSN, medical records, and government ID were sitting in the hands of one of the most prolific cybercriminal groups operating today.

The Legal Fallout

About two dozen proposed class action lawsuits have been filed, now consolidated before a federal judge in Columbus, Georgia, Aflac's headquarters. The allegations: Aflac failed to safeguard sensitive information and failed to promptly notify victims [8].

Aflac has until mid-March 2026 to formally respond.

The company is offering 24 months of credit monitoring, identity theft protection, and Medical Shield coverage. The enrollment deadline is April 18, 2026 [9].

What You Should Do

If you've ever had Aflac insurance, been a beneficiary, or worked for the company, assume your data was compromised. Here's what to do now:

  1. Freeze your credit with all three bureaus: Equifax, Experian, and TransUnion. Don't just monitor. Freeze.
  2. Check your explanation of benefits (EOB) statements for medical services you didn't receive. Medical identity fraud is a real risk with health data exposure.
  3. Enroll in the free monitoring Aflac is offering. It's the bare minimum they owe you, and the deadline is April 18, 2026.
  4. File an IRS Identity Protection PIN at irs.gov to prevent tax fraud using your stolen SSN.
  5. Watch for phishing. Attackers who have your name, address, date of birth, and insurance info can craft extremely convincing scam emails and calls.

The Bigger Picture

22.65 million people. That's roughly one in fifteen Americans.

Aflac says it's "not aware of any of the stolen information being fraudulently used." That's the standard line. It means nothing. Stolen identity data circulates on criminal markets for years. The fraud doesn't happen the day of the breach. It happens months or years later, when you've forgotten this ever happened.

The insurance industry is sitting on some of the most sensitive personal data in existence: your health conditions, your financial details, your government IDs. And Scattered Spider proved that a phone call to an IT help desk is all it takes to get in.

No ransomware. No zero-day exploit. No sophisticated malware. Just a convincing voice on the phone.

References

  1. TechCrunch – US insurance giant Aflac says hackers stole personal and health data of 22.6 million people (December 23, 2025)
  2. SecurityWeek – 22 Million Affected by Aflac Data Breach
  3. HIPAA Journal – Insurance Giant Aflac Confirms 22.65 Million Individuals Affected by June Cyberattack
  4. The Record – More than 22 million Aflac customers impacted by June data breach
  5. WebProNews – Aflac Data Breach by Scattered Spider Exposes 22.6 Million Records
  6. SiliconANGLE – Aflac breach exposes personal and health data of more than 22M people (December 24, 2025)
  7. AJC – Hack of Aflac potentially affected more than 22 million people
  8. GovInfoSecurity – Aflac Notifies 22.6 Million People of June Data Theft Attack
  9. Digital Watch Observatory – Aflac confirms large-scale data breach following cyber incident