Aflac has confirmed a major data breach impacting approximately 22.7 million individuals, making it one of the largest insurance-sector breaches disclosed this year. The incident exposed highly sensitive personal and health-related data belonging to customers, beneficiaries, employees, and insurance agents.

The breach was disclosed through regulatory filings and breach notifications sent to affected individuals.

What Happened

According to Aflac, the company detected unauthorized access to its U.S. network on June 12, 2025. Security teams moved quickly to contain the incident within hours of detection.

Following a months-long forensic investigation, Aflac determined that threat actors accessed files containing sensitive personal information. The company stated that the intrusion did not involve ransomware and did not disrupt business operations.

How Many People Were Affected

Aflac estimates that approximately 22.65 million individuals were impacted, including:

• Policyholders

• Beneficiaries

• Employees

• Insurance agents

• Other individuals whose data was stored in affected systems

What Data Was Exposed

The compromised files may have included:

• Full names

• Dates of birth

• Home addresses

• Social Security numbers

• Driver’s license and passport numbers

• Health insurance and medical information

The exposure of combined identity and health data significantly increases the risk of identity theft, insurance fraud, and targeted phishing attacks.

Aflac’s Response

Aflac has begun notifying affected individuals and is offering complimentary credit monitoring and identity theft protection services. Impacted users have been given time to enroll in these services through 2026.

The company also confirmed that it notified regulators and engaged external cybersecurity experts and law enforcement as part of the investigation.

Why This Matters

The insurance sector continues to be a high-value target for cybercriminals due to the volume of long-term, high-trust personal data stored by insurers.

Unlike financial breaches where cards can be reissued, exposed identity and health data can be abused for years, enabling:

• Medical identity theft

• Long-term financial fraud

• Highly convincing social engineering attacks

This incident follows a broader trend of cyber intrusions impacting U.S. insurance providers in recent months.

What Individuals Should Do Next?

Affected individuals should:

• Enroll in Aflac’s identity protection services

• Monitor credit reports and insurance statements closely

• Be alert for phishing emails or calls referencing insurance claims or personal details

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.