The supplemental insurance provider known for its distinctive duck has released a public relations statement about a cyberattack the company recently faced.
On June 20th, Aflac released a PR statement about suspicious activity the company had identified in its network. The incident was identified on June 12th, 2025.
Aflac is opening an investigation into the incident and said their initial findings indicate that cybercriminals deployed “social engineering tactics” or measures that rely on manipulation to gain network access. Since the investigation has only just begun, Aflac has only limited information on the attack.
As the investigation continues, Aflac believes potentially impacted files may contain claims information, health information, social security number and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in their US business.
Aflac said they wanted to provide a notice to the public in the investigation's early stages “in the spirit of transparency and care for our customers.”
The team said they are currently unable to determine the total number of impacted individuals or who was impacted. Nevertheless, Aflac is offering anyone who believes they may have been impacted free credit monitoring and identity theft protection, as well as Medical Shield for 24 months.
Aflac ended their statement saying, “We reget that this incident occurred. We will be working to keep our stakeholders informed as we learn more and continue in investigating the incident.”
According to ABC News, other insurance companies–including Philadelphia Insurance Companies and Erie Insurance–have experienced their own breaches in recent months, leading some experts to believe that insurance companies are becoming more targeted by cybercriminals.
While every data breach matters, insurance companies may have particularly sensitive information related to potential future medical issues. This information may be appealing on the black market, as it could be used for extortion or identity theft.
Yes, insurance companies are covered by HIPAA because they are business associates, meaning they generally handle protected health information (PHI) to process claims.
Unfortunately, the time it takes to complete a data breach investigation varies widely. Many breaches take at least a month to investigate, but some can take up to a year. If you use Aflac, but aren’t sure if your data has been impacted, it may still be wise to take advantage of the identity protection services being offered.