Aflac, the largest U.S. supplemental health insurance provider, has notified 22.65 million individuals that their sensitive health and personal information, including Social Security numbers, may have been compromised in a major data breach that occurred in June 2025. The incident, which Aflac described as part of a "sophisticated cybercrime campaign" targeting the insurance industry, is expected to be the largest health data breach reported to U.S. federal regulators in 2025 once official numbers are updated on the Department of Health and Human Services' HIPAA Breach Reporting Tool.
Security researchers have speculated that the cybercriminal group Scattered Spider may be responsible for the attack, which coincided with similar incidents affecting other large U.S. insurers. Aflac initially reported the breach to the HHS Office for Civil Rights with a placeholder estimate of 500 affected individuals, but the updated figure of 22.65 million significantly increases the scale and impact of the incident. The breach highlights ongoing threats to the insurance sector and the potential for large-scale exposure of sensitive health data.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Aflac began notifying 22.65 million individuals that their data may have been compromised in the June 2025 attack. The company offered two years of credit monitoring, identity protection, and related fraud protection services, and said it had not observed fraudulent use of the data.
Following the breach, about two dozen class action lawsuits were filed against Aflac and later consolidated in Georgia federal court. The suits allege negligence and seek damages as well as security-related injunctive relief.
The incident resulted in the potential compromise of sensitive information including names, contact details, claims data, health information, Social Security numbers, and other personal data. Security researchers suspected possible links to Scattered Spider, but Aflac did not confirm attribution.
In June 2025, Aflac discovered a cyberattack involving data theft and said it contained the incident within hours. The attack did not involve ransomware, and Aflac's systems remained operational.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.