What You Need to Know about the Aflac Data Breach

The American Family Life Assurance Company of Columbus (Aflac) is a Fortune 500 company that provides financial protection through supplemental life and health insurance products to millions of individuals worldwide. Founded in 1955, the company serves policyholders and customers through its subsidiaries in the United States and Japan. 

Recently, the Columbus-based supplemental insurance company confirmed that a security incident it disclosed in June affected over 22 million customers. The number of individuals affected was not initially specified. In an update shared by the company, Aflac announced it detected suspicious activity on some of its systems and promptly secured accounts identified as potentially impacted. It also took additional steps, which included resetting passwords and further monitoring for signs of suspicious activity.

Aflac said the compromised files could contain health information, claims information, Social Security numbers, and other personal information related to beneficiaries, customers, agents, employees, and other individuals in its U.S. subsidiary. In a filing with the Texas Attorney General, the company said personal information exposed includes customer names, home addresses, driver’s license numbers, dates of birth, and government-issued ID numbers. Another filing with the Iowa Attorney General alleges that the cybercriminals responsible for the attack may be affiliated with a well-known cybercriminal organization, the Scattered Spider organization, although unconfirmed.

When Was the Aflac Data Breach?

Aflac detected this data breach on June 12, 2025, and launched an immediate response with support from third-party cybersecurity experts. The company, in an update related to the incident, confirmed it contained the incident within hours and that its systems were not affected by ransomware and remained fully operational.

After a comprehensive review of the incident, the company, on December 4, 2025, determined that the files potentially impacted likely contained customers’ personal information. According to reports, Aflac is not aware of any fraudulent use of compromised customers’ data as a result of the security incident. Following its detailed review of the security incident, Aflac, in late December 2025, began the process of notifying individuals whose information may have been compromised.

How to Check If Your Data Was Breached

Aflac is already sending out breach notification letters to affected individuals confirming that their data was compromised in the June 2025 incident. You will receive the letter if the company determines you were also impacted. However, it is important to continue checking for updates about this breach on the company’s website.

Alternatively, you can look up reputable breach-check sites to find out if your personal information was stolen by the cyberactors during the June 2025 Aflac security incident. Many of these websites will allow you to search by email address and specify which site was breached, as well as the type of information that was exposed.

If you have not received a notification letter regarding the breach but think you may have been affected, checking your accounts may help confirm your suspicion. For instance, any unfamiliar inquiries or new accounts in your credit reports, unauthorized transactions in your bank and credit card statements, or unusual activity in your online accounts may indicate someone is misusing your stolen information.

Furthermore, you may review your medical bills and Social Security statements for benefits or services you did not apply for or receive. If you identify any, there is a chance that your data was compromised in the Aflac security incident.

What to Do If Your Data Was Breached

Following Aflac’s detailed review of potentially impacted files in the data breach, the company is offering affected individuals free credit identity monitoring, identity theft protection, customer support, and medical fraud protection, as well as CyEx Medical Shield for 24 months. If your information was exposed, you can enroll for these offers by contacting the company’s call center at (855) 361-0305 between 9:00 a.m. and 9:00 p.m., Mondays through Fridays, excluding major U.S. holidays. The final deadline to register is April 18, 2026.

Furthermore, you need to remain vigilant against attempts at identity theft. Review your financial accounts, credit reports, and insurance statements regularly for any unusual or suspicious activity or charges/transactions. You may order a free credit report from the three major credit bureaus in the U.S., while you can contact your financial institution for bank or credit card statements. If you find anything suspicious or unusual, contact Aflac immediately through any of the official communication channels listed on the company’s website. 

For an extra layer of security, you may consider enabling multi-factor authentication on your accounts where possible. Additionally, you may want to place a credit freeze or fraud alert on your credit files and credit reports. A credit freeze prevents unauthorized individuals from opening new accounts in your name, particularly if your Social Security number was leaked. On the other hand, a fraud alert ensures lenders contact you and verify your identity before approving new credit.

If you suspect any misuse of any data compromised as a result of the Aflac data breach, report it to your local law enforcement or the Federal Trade Commission (FTC) immediately.

Are There Any Lawsuits Because of the Data Breach?

Yes, many lawsuits have been filed against Aflac following the June 2025 cyberattack that may have exposed sensitive customer data. These include the following:

• Larry Golston, Dee Miles, and Leon Hampton filed a class action in federal court in Columbus, Georgia, in July 2025. The suit accuses Aflac of negligence, unjust enrichment, breach of contract, and invasion of privacy. They claim that the company failed to protect its policyholder’s private information. The complaints aim to secure recovery for all policyholders who have been affected by Aflac’s failure to protect their private data.
• A lead defendant with the initials L.P. filed a class-action lawsuit in the Columbus Division of the U.S. District Court in the Middle District of Georgia in June 2025. The lawsuit, assigned Case No. 4:25-CV-00197, alleges Aflac’s failure to implement reasonable and industry-standard practices to secure, safeguard, and properly destroy class members’ sensitive data that the company had acquired for its business purposes.

Several other notable litigations against Aflac regarding the June 2025 incident are consolidated and filed in the U.S. District Court for the Middle District of Georgia, Columbia Division.

Can My Aflac Information Be Used for Identity Theft?

Yes, customers’ data held in Aflac’s database can be used for identity theft if exposed in a data breach. In the recent security incident, unauthorized parties accessed sensitive information, such as Social Security numbers, health information, claims information, customer names, home addresses, driver’s license numbers, dates of birth, and government-issued ID numbers. These pieces of information are valuable to identity thieves.

An identity thief can impersonate you and obtain medical services or fill prescriptions with your health information. Similarly, they can apply for government benefits in your name with your Social Security number. Furthermore, a criminal who has your full name, driver’s license number, and/or any other government-issued ID number may open bank accounts, new credit accounts, or obtain loans in your name. They can even trick your banks and take over your existing accounts to make unauthorized purchases or transfer funds.

Identity thieves can also use your ID and driver’s license number to create fake IDs. Such IDs will have your real information but show the criminal’s photo, identifying features, and signature. In worst-case scenarios, an identity thief may commit crimes and pretend to be you during an arrest, providing your name to law enforcement. This can potentially lead to a false criminal record in your name. Similarly, they can sell your sensitive information to other criminals on the dark web, a hidden part of the internet that is popular among criminals.

What Can You Do to Protect Yourself Online?

In today’s digital age, here are things you can do to protect yourself online in the face of rising cybersecurity incidents:

• Enable multi-factor authentication (MFA) to keep your accounts secure. Once enabled, you have an extra layer of security. Even if a hacker stole your password, access will not be granted without asking for a second form of verification.
• Be on the lookout for phishing scams that use emails and text messages. Even if an email or text message looks convincing and appears to be from a legitimate source, always double-check the source by hovering over links. Avoid clicking SMS or email links when in doubt.
• Monitor your financial accounts regularly for unusual and suspicious transactions or charges, no matter how small. If you notice any, contact your bank immediately to help mitigate the risk. You can set up real-time transaction alerts on your bank apps for prompt notifications of suspicious activity.
• Consider signing up for a credit monitoring service to enable you to get notifications for new accounts and other activity on your credit reports.
• Create strong passwords for your online and bank account apps, and be sure to use a different password for each account. A strong password has at least 12 characters and contains a mix of numbers, both lowercase and uppercase letters, and special characters. Your password should not contain personal information or be easily guessed.
• Avoid sharing sensitive information over public Wi-Fi. Also, ensure you secure your home network with a strong password.
• Keep your software and devices up to date. Regular updates make your devices more secure. If possible, enable automatic updates so your devices can install new updates as soon as they are available.
• Consider investing in personal cybersecurity tools, such as reliable anti-malware and antivirus software. These help in blocking malicious programs.