US Insurance Giant Aflac Says Hackers Stole Personal and Health Data of 22.6 Million People

The Aflac breach illustrates how sophisticated hacker groups are exploiting the insurance industry’s rich data reservoirs. By compromising names, dates of birth, Social Security numbers, and detailed health records, the attackers have assembled a profile that can fuel identity theft, fraud, and black‑mail schemes. Scattered Spider, known for low‑cost ransomware and data‑theft operations, appears to be leveraging a broader campaign against insurers, a sector that traditionally stores extensive personal health information across multiple platforms.

Regulators in Texas and Iowa have already received detailed filings, signaling that state authorities will likely pursue investigations, potential fines, and mandatory remediation steps. For Aflac, the immediate priority is notifying the 22.65 million affected individuals while providing credit‑monitoring services to mitigate fallout. The breach also raises questions about the adequacy of existing cyber‑risk frameworks, especially as insurers grapple with evolving compliance mandates such as the New York Department of Financial Services (NYDFS) cyber rule and emerging federal privacy legislation.

Industry‑wide, the incident serves as a wake‑up call for insurers to reassess their security postures. Experts recommend adopting zero‑trust architectures, continuous threat‑intelligence monitoring, and regular penetration testing to detect lateral movement early. Moreover, insurers must integrate cyber‑risk into underwriting models, pricing policies that reflect the heightened threat landscape. As cybercriminals refine their tactics, firms that invest proactively in resilience will better protect customer data, preserve trust, and avoid costly regulatory penalties.