Aflac Data Breach 2025: 13.9M Affected (22.65M Notified) After Scattered Spider-Linked Social Engineering Attack on Insurance Giant
Aflac filed a HIPAA breach notification with HHS OCR on August 8, 2025 after a June 12 social-engineering intrusion. The carrier later confirmed approximately 22.65 million people were notified, with at least 13.9 million U.S. PHI records exposed including SSNs, claims, and health information.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 12, 2025
Aflac detects unauthorized access; intrusion contained within hours (per 8-K)
Jun 12, 2025
Suspicious activity identified on the network; social-engineering vector
Jun 20, 2025
Aflac files Form 8-K with the SEC disclosing the cyber incident
Jun 23, 2025
First class-action investigations announced; lawsuits filed in M.D. Ga.
Jul 14, 2025
Federal court consolidates surging data-breach class actions against Aflac
Aug 8, 2025
Initial HIPAA breach report filed with HHS OCR (placeholder count)
Aug 8, 2025
Disclosed publicly
Dec 19, 2025
Aflac issues public update; notification mailings begin to ~22.65M people
Feb 12, 2026
OCR portal entry updated: at least 13,924,906 U.S. PHI records confirmed exposed
Jun 12, 2025
Aflac detects unauthorized access; intrusion contained within hours (per 8-K)
Jun 12, 2025
Suspicious activity identified on the network; social-engineering vector
Jun 20, 2025
Aflac files Form 8-K with the SEC disclosing the cyber incident
Jun 23, 2025
First class-action investigations announced; lawsuits filed in M.D. Ga.
Jul 14, 2025
Federal court consolidates surging data-breach class actions against Aflac
Aug 8, 2025
Initial HIPAA breach report filed with HHS OCR (placeholder count)
Aug 8, 2025
Disclosed publicly
Dec 19, 2025
Aflac issues public update; notification mailings begin to ~22.65M people
Feb 12, 2026
OCR portal entry updated: at least 13,924,906 U.S. PHI records confirmed exposed
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Columbus, Georgia-headquartered supplemental insurance carrier Aflac Incorporated (NYSE: AFL) disclosed in a June 20, 2025 Form 8-K filing with the SEC that an unauthorized party gained access to its U.S. network on June 12, 2025 using social-engineering tactics. Aflac said it contained the intrusion within hours and that ransomware did not encrypt its systems. The HHS Office for Civil Rights breach portal currently reflects 13,924,906 affected individuals in the United States, the largest single healthcare breach posted to OCR for 2025. Aflac’s own December 2025 update placed total notification volume at approximately 22.65 million people worldwide, including customers, beneficiaries, employees, agents, and other individuals tied to its U.S. business.
Timeline of what we know
- June 12, 2025 — Aflac identifies unauthorized access to its U.S. network. The 8-K states the company “promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours.” Preliminary findings cite social engineering as the access vector.
- June 20, 2025 — Aflac files a Form 8-K with the SEC under Item 8.01 (Other Events), publicly disclosing the incident. The filing notes systems were not affected by ransomware and business operations continued.
- Late June 2025 — Plaintiffs’ firms announce investigations. The first putative class actions are filed in the U.S. District Court for the Middle District of Georgia, Columbus Division.
- July 14, 2025 — The federal court consolidates the surging docket of class actions into In re Aflac Inc. Data Breach Litigation.
- August 8, 2025 — Aflac files the HIPAA breach report with HHS OCR using a placeholder count of 500 individuals while the forensic review continues.
- December 19, 2025 — Aflac publishes a public update and begins issuing individual notification letters, disclosing that approximately 22.65 million people may have had personal information impacted.
- February 12, 2026 — Aflac updates its OCR submission. The portal now lists 13,924,906 U.S. individuals whose protected health information was exposed or stolen.
What was exposed
Per Aflac’s 8-K, December 2025 public update, and Iowa Attorney General filing, the files accessed during the intrusion may have contained any of the following, depending on the individual:
- Full name and home address
- Date of birth
- Social Security number
- Driver’s license number, state ID card number, or passport number
- Health information and medical records
- Health insurance information
- Claims information
Aflac has emphasized in its notifications that “not every data element was present for every affected individual.”
What Aflac is offering
Aflac is offering affected individuals 24 months of complimentary credit monitoring, identity theft protection, and medical fraud protection services. The company has not publicly named the monitoring vendor in the press release, though the enrollment instructions are included in individual notification letters. Aflac also stood up a dedicated call center to handle questions from affected individuals. Enrollment deadlines vary by mailing date; check the specific deadline printed on your letter.
Class-action and regulatory posture
By late July 2025 the U.S. District Court for the Middle District of Georgia had consolidated more than a dozen putative class actions into In re Aflac Inc. Data Breach Litigation, No. 4:25-cv-00183 (M.D. Ga.). Reporting from BankInfoSecurity and Law.com puts the total number of suits filed in Georgia federal court at roughly two dozen as of early 2026, alleging negligence, breach of implied contract, and unjust enrichment, and seeking injunctive relief that would require Aflac to implement a comprehensive information security program.
Aflac’s filing with the Iowa Attorney General stated that the threat actor “may be affiliated with a known cyber-criminal organization” and that federal law enforcement had indicated the group “may have been targeting the insurance industry at large.” Security researchers and trade press have widely attributed the campaign to the Scattered Spider collective, which has known partnerships with ShinyHunters and Lapsu$. Aflac has not formally confirmed the attribution.
The HHS Office for Civil Rights investigation remains open. State attorney general filings have been submitted in Iowa, Maine, California, Texas, and other states that require separate notification.
What to do if you may be affected
Sensitive identifiers were exposed. Treat this as a high-severity exposure and stack defenses:
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new account fraud cold. This is the single highest-leverage step when SSNs are in play.
- Enroll in the credit monitoring Aflac is offering if you receive a notification letter. The 24-month medical fraud protection component is particularly important because health insurance and claims data were exposed.
- File IRS Form 14039 (Identity Theft Affidavit) if you see a rejected tax return or suspicious IRS correspondence. With SSNs in the wild, tax-refund fraud is a leading attack pattern.
- Request an Identity Protection PIN (IP PIN) from the IRS for your federal returns. It is free at irs.gov/ippin and prevents fraudulent filings under your SSN.
- Watch for medical identity theft. Request copies of any Explanation of Benefits from health insurers you use. Verify the claims listed are yours. If you see services you did not receive, report them to the insurer and to the HHS OCR.
- Be skeptical of phone, text, and email outreach claiming to be from Aflac. Threat actors often follow large breaches with targeted phishing using leaked identifiers. Aflac will not ask for full SSN or banking details by phone to “verify” your account.
- If your driver’s license or passport number was exposed, contact your state DMV and the U.S. Department of State respectively to flag the record.
Sources
- Aflac Form 8-K (SEC EDGAR, filed June 20, 2025)
- Aflac newsroom: “Aflac Incorporated Discloses Cybersecurity Incident” (June 20, 2025)
- Aflac newsroom: “Aflac updates June 2025 security incident” (December 19, 2025)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Aflac Data Breach
- TechCrunch — Aflac says hackers stole personal and health data of 22.6 million people
- BankInfoSecurity — Aflac Notifies 22.7 Million People of June Data Theft Attack
- Cybersecurity Dive — Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry
- Law.com — Federal Court Consolidates Surging Data Breach Class Actions Against Aflac
- Justia docket — In re Aflac Inc. Data Breach Litigation, 4:2025cv00183 (M.D. Ga.)
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Aflac Form 8-K (SEC EDGAR, filed June 20, 2025)
- Aflac newsroom: 'Aflac Incorporated Discloses Cybersecurity Incident' (June 20, 2025)
- Aflac newsroom: 'Aflac updates June 2025 security incident' (December 19, 2025)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Aflac Data Breach tracking page
- TechCrunch — Aflac says hackers stole personal and health data of 22.6 million people
- BankInfoSecurity — Aflac Notifies 22.7 Million People of June Data Theft Attack
- Cybersecurity Dive — Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry
- Law.com — Federal Court Consolidates Surging Data Breach Class Actions Against Aflac
- Justia docket — IN RE AFLAC INC DATA BREACH LITIGATION, 4:2025cv00183 (M.D. Ga.)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.