Aflac Incorporated has reported a data breach that compromised the protected health information of at least 13.9 million individuals.
Incident Overview
Health insurance company Aflac Incorporated updated its data breach report indicating that at least 13.9 million individuals’ protected health information were affected. The initial data breach report had a place holder of 500 affected individuals. In January 2026, Aflac updated the total with an estimate of 22.65 million affected individuals. Now, the most recent report only had about 13.9 million individuals affected. This figure could still change as investigation continues.
Aflac detected suspicious activity in its network on June 12, 2025 that was a confirmed unauthorized access to multiple user accounts via social engineering. The hacking group Scattered Spider likely conducted the attack as it is known for attacking the insurance industry since early 2025.
Scope Of Compromised Information
The compromised information included protected health information, such as members’ names, addresses, birth dates, driver’s license numbers, passport and state ID card numbers, Social Security numbers, health information, and medical insurance data. Affected individuals included Aflac clients, beneficiaries, staff members, or agents.
The reported number of impacted individuals was at least 13.9 million. The breach therefore represents one of the larger reported healthcare-related data security incidents by volume of affected individuals.
Regulatory Implications
The exposure of protected health information triggers obligations under the HIPAA Breach Notification Rule for covered entities and business associates. As a covered entity, Aflac has sent breach notification letters to the victims and provided them with free credit monitoring and identity theft protection services for two years.
Aflac is facing over 20 class action lawsuits filed because of the data breach. OCR started an investigation to find out if the company complied with state and government data security regulations. Since the incident involved the breach or theft of protected health information, Aflac should comply with HIPAA Laws.