Multiple Healthcare and Insurance Data Breaches Impacting Millions
Several major organizations in the healthcare and insurance sectors have disclosed significant data breaches affecting millions of individuals. ARC Community Services reported a ransomware attack by the INC Ransom group, resulting in the exfiltration of sensitive patient data, including health and financial information. Aflac confirmed that a June cyberattack led to the theft of files containing insurance claims, health data, and Social Security numbers for over 22 million customers, with no operational disruption but widespread exposure of personal information. The Louisiana Office of Student Financial Assistance (LOSFA) notified students of unauthorized access to its systems, exposing names and Social Security numbers, though certain savings accounts were not affected. Oklahoma Spine Hospital agreed to a $1.1 million settlement following a July breach that compromised the data of nearly 39,000 patients, including medical and financial details.
These incidents highlight the ongoing threat posed by cybercriminals targeting sensitive data in the healthcare and insurance industries. Victims in these breaches are being offered credit monitoring and identity protection services, and regulatory notifications have been issued. The attacks have prompted legal action, regulatory scrutiny, and, in some cases, leadership changes within affected organizations. Law enforcement and cybersecurity experts have been engaged to investigate and mitigate the impact of these breaches, which are part of a broader trend of targeted attacks against organizations handling large volumes of personal and health-related information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Aflac updates OCR with confirmed PHI impact of at least 13.9 million
By February 2026, Aflac updated regulators to reflect that protected health information of at least 13,924,906 individuals had been exposed or stolen in the June 2025 attack. Reporting at that stage said the overall incident affected approximately 26.5 million people.
Aflac faces class actions, regulatory scrutiny, and Senate attention
Following disclosure of the breach's scale, Aflac became the target of more than 20 class action lawsuits as well as regulatory investigations and bipartisan Senate scrutiny over its security practices and incident response. The legal and regulatory fallout expanded as the confirmed impact grew.
Aflac begins victim notifications and offers protection services
After confirming the scale of the breach, Aflac notified affected customers, beneficiaries, employees, and agents and offered 24 months of identity protection and credit monitoring. The company set an enrollment deadline of April 18, 2026 for the services.
Oklahoma Spine Hospital reaches $1.1 million settlement
By December 2025, Oklahoma Spine Hospital agreed to a $1.1 million settlement to resolve litigation over its July 2024 breach. The settlement provides credit monitoring, identity theft insurance, and possible cash payments to affected patients, pending final court approval.
Investors sue Coupang over delayed breach disclosure
A U.S. federal securities class action lawsuit filed by December 2025 alleged Coupang failed to disclose its November 2024 breach within the SEC's required timeframe. The case is being viewed as a test of the SEC's 2023 cybersecurity disclosure rules.
Students notified of LOSFA data security incident
By December 2025, LOSFA sent notification letters to students warning that an unauthorized party had accessed or removed files from certain systems. The agency said the START Saving Program and 529 savings accounts were not affected and that the investigation was ongoing.
Aflac completes investigation into June breach
Aflac concluded its investigation on December 4, 2025, determining that the breach affected about 22.7 million people, with later reporting putting the total at approximately 26.5 million. The stolen data included personal information, insurance claims data, health information, and Social Security numbers.
LOSFA says October cyberattack affected student data
LOSFA previously issued a statement about a cyberattack that occurred in October 2025 affecting certain agency systems. The later investigation found unauthorized access to files containing sensitive information such as names and Social Security numbers.
Aflac files initial HHS OCR breach report with placeholder count
On August 8, 2025, Aflac reported the breach to the HHS Office for Civil Rights using a placeholder estimate of 500 affected individuals. The filing indicated protected health information may have been compromised while the investigation was still ongoing.
Aflac breach linked to broader insurance-sector campaign
Reporting tied the Aflac intrusion to a social-engineering campaign consistent with Scattered Spider activity targeting insurance companies, including Erie Insurance, Philadelphia Insurance Companies, and Scania Financial Services. Aflac said the actor may be associated with a known cybercriminal organization, though it did not formally name the group.
Aflac detects and contains cyberattack on U.S. systems
Aflac detected suspicious activity on June 12, 2025 and contained the intrusion within hours with help from external cybersecurity experts and federal law enforcement. The attack involved data theft rather than ransomware and did not disrupt operations.
Coupang discloses breach to the SEC after 28-day delay
Coupang did not report its November 2024 breach to the SEC until December 16, 2024, beyond the timeframe required under SEC cybersecurity disclosure rules. The delayed disclosure later prompted regulatory scrutiny, executive resignations, and investor litigation.
Coupang discovers breach tied to ex-employee credentials
Coupang discovered a data breach on November 18, 2024 that exposed personal information from 33.7 million customer accounts. The incident was traced to a former employee who allegedly retained valid authentication credentials after leaving the company.
ARC Community Services hit by INC Ransom attack
In November 2024, ARC Community Services suffered a ransomware attack attributed to the INC Ransom group, which exfiltrated sensitive personal, financial, and health data. The organization took systems offline, engaged forensic experts, and later chose not to pay the ransom.
Oklahoma Spine Hospital email breach exposes nearly 39,000 patients
In July 2024, Oklahoma Spine Hospital suffered a breach involving unauthorized access to an email account, exposing personal, financial, and medical information of nearly 39,000 patients. The incident later led to consolidated class action litigation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Aflac Data Breach: PHI of At Least 13.9 Million Individuals Compromised
hipaajournal.com
Open sourceAflac Data Breach Exposes 22M People in Major Cyber Breach
techrepublic.com
Open sourceAflac confirms June data breach affecting over 22 million customers
securityaffairs.com
Open sourceARC Community Services Announces November 2024 Ransomware Attack
hipaajournal.com
Open sourceOklahoma Spine Hospital Agrees to $1.1M Data Breach Settlement
hipaajournal.com
Open sourceMore than 22 million Aflac customers impacted by June data breach
therecord.media
Open sourceLOSFA sends out letter to students warning of ‘data security incident’ involving information
databreaches.net
Open sourceSouth Korean firm hit with US investor lawsuit over data breach disclosure failures
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
Mar 21, 2026
Multiple Healthcare and Retail Data Breaches Impacting US Organizations
Several US organizations have reported significant data breaches affecting thousands of individuals. Pearlman Aesthetic Surgery in New York disclosed a hacking incident compromising the protected health information of nearly 12,000 patients, though specific details remain undisclosed. Methodist Homes of Alabama and Northwest Florida notified residents and employees of a second breach within seven months, involving unauthorized access to an employee email account containing sensitive personal and medical information. Gulshan Management Services, which operates over 150 gas stations and convenience stores, confirmed a breach that exposed the personal data of more than 377,000 people, including Social Security numbers and financial information, with delayed notification to affected individuals. Community First Medical Center in Chicago reached a $1 million preliminary settlement following a 2023 breach that exposed the data of approximately 216,000 patients, with allegations of inadequate cybersecurity measures and delayed response. These incidents have led to regulatory filings, class action lawsuits, and increased scrutiny over the timeliness and adequacy of breach notifications. The breaches highlight ongoing challenges in protecting sensitive data across healthcare and retail sectors, with attackers exploiting both network vulnerabilities and email accounts. Organizations are facing legal and reputational consequences, emphasizing the need for robust cybersecurity practices and prompt communication with affected individuals.
Mar 21, 2026
Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear. Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
Mar 21, 2026