Aflac notifies 22.6M after hackers steal personal and health data

TL;DR

Aflac has begun notifying about 22.65 million people after a cyberattack exposed customer personal and health information. Filings with state attorneys general say stolen records include names, dates of birth, government ID numbers, Social Security numbers and medical and insurance details.

What happened

Aflac initially disclosed a data breach in June but did not specify how many people were affected. In a recent update filed with state authorities, the insurer said it has started notifying roughly 22.65 million individuals whose information was taken in the incident. According to filings with the Texas and Iowa attorneys general, the stolen material includes customer names, birth dates, home addresses, government-issued ID numbers (including passports and state ID cards), driver’s license numbers, Social Security numbers, and medical and health insurance information. The Iowa filing states the perpetrators may be tied to a known cyber‑criminal organization; federal law enforcement and outside cybersecurity experts indicated the group may have been targeting the insurance sector. Observers have pointed to Scattered Spider as a likely actor given contemporaneous attacks on other insurers. Aflac did not respond to a TechCrunch request for comment. The company reports about 50 million customers on its website.

Why it matters

• Sensitive identifiers such as Social Security numbers and government IDs were exposed, raising risks of identity theft and fraud for millions.
• Health and insurance records were included, which can compound privacy harms and complicate remediation for affected individuals.
• The incident appears part of a wider pattern of attacks on the insurance industry, suggesting elevated sector-wide risk.
• With roughly 22.65 million people notified out of about 50 million customers, a substantial portion of the insurer’s client base may be affected.

Key facts

• Aflac began notifying about 22.65 million people after the breach.
• Stolen data reported in filings includes names, dates of birth, home addresses, government ID numbers, driver’s license numbers, Social Security numbers, and medical and health insurance information.
• Initial disclosure of the breach occurred in June; the company did not provide a victim count at that time.
• An Iowa filing said the attackers may be affiliated with a known cyber‑criminal organization and that authorities and cybersecurity experts believe the group targeted the insurance industry.
• Observers have pointed to Scattered Spider as a likely suspect given simultaneous attacks on insurers.
• Aflac did not provide comment to TechCrunch when contacted.
• Aflac’s public website lists the company as having around 50 million customers.
• Other insurers hit around the same time include Erie Insurance and Philadelphia Insurance Companies.

What to watch next

• Whether federal law enforcement publicly identifies the group responsible — not confirmed in the source.
• Any regulatory or legal actions against Aflac or related lawsuits from affected individuals — not confirmed in the source.
• Additional disclosures about the scope of the breach, remediation steps, and offered protections for victims (credit monitoring, identity restoration) — not confirmed in the source.

Quick glossary

• Data breach: An incident where unauthorized parties gain access to confidential or protected information.
• Social Security number (SSN): A U.S. government-issued number used to track earnings and benefits; often targeted in identity theft.
• Protected health information (PHI): Health-related data that can identify an individual, including medical records and insurance details.
• Cyber‑criminal organization: A coordinated group that carries out digital attacks for financial or strategic gain.

Reader FAQ

How many people were affected?
Aflac said it has begun notifying about 22.65 million people whose data was stolen.

What types of information were taken?
Filings list names, dates of birth, home addresses, government ID numbers (passports, state IDs), driver’s license numbers, Social Security numbers, and medical and health insurance information.

Do we know who carried out the attack?
Aflac’s filing says the attackers may be affiliated with a known cyber‑criminal organization; observers have pointed to Scattered Spider as likely, but the exact attribution is not confirmed in the source.

Has Aflac commented or responded publicly?
Aflac did not respond to TechCrunch’s request for comment; the company has filed notices with state attorneys general and is notifying affected individuals.

Will affected customers receive credit monitoring or remediation?
not confirmed in the source

In June, U.S. insurance giant Aflac disclosed a data breach where hackers stole customers’ personal information, including Social Security numbers and health information, without saying how many victims were affected. …

Sources

• US insurance giant Aflac says hackers stole personal and health data of 22.6 million people
• Aflac says June data breach affected 22.6M individuals
• Aflac says 22.6M people impacted by June hack …
• US insurance giant Aflac says hackers stole personal and …

Related posts

• Trump administration pauses nearly 6 GW of East Coast offshore wind leases
• OpenAI: Agentic AI browsers will likely remain vulnerable to prompt injection
• Anna’s Archive says it scraped 86 million Spotify tracks and posted metadata