Aflac is under pressure from U.S. lawmakers to disclose more about a data breach that compromised personal and health information.
What happened
Senators Bill Cassidy (R-La.) and Maggie Hassan (D-N.H.) have sent a letter to Aflac’s CEO, Daniel P. Amos, requesting detailed information about the company’s June 2025 cybersecurity incident. Aflac had disclosed the breach on June 12 in a U.S. Securities and Exchange Commission (SEC) filing, confirming that customer claims and protected health information were accessed.
The senators are seeking clarification on several fronts: the company’s security posture before the attack, whether federal agencies were notified, and how Aflac is communicating with affected individuals. They also asked what measures have been taken to contain the damage and prevent future attacks, and whether Aflac will go beyond HIPAA’s reporting requirements in its response.
Aflac has until September 5 to respond to the inquiry.
Going deeper
Aflac, the largest provider of supplemental insurance in the U.S., serves more than 50 million people globally. The company said the breach did not disrupt operations and was contained within hours. Ransomware was not deployed, but personal and health data were exposed.
The compromised data may include names, Social Security numbers, claims details, and contact information relating to customers, employees, agents, and beneficiaries. Aflac has engaged third-party cybersecurity experts and is offering complimentary identity protection to those affected. The exact number of individuals impacted remains unknown, and the breach has been reported to the Department of Health and Human Services using a placeholder of 500 individuals.
The incident appears to be part of a wider campaign targeting U.S. insurers. Similar attacks have been reported by Erie Insurance Group and Philadelphia Insurance Companies. None of the attacks involved encryption, and all are suspected to involve data theft by the same threat actor.
What was said
Aflac stated that the breach was the work of a “sophisticated cybercrime group” and part of a broader campaign against the insurance sector. In a public statement, the company confirmed it had activated its incident response protocols and stressed that no ransomware was deployed.
Senators Cassidy and Hassan have publicly stressed the need for transparency and improved cybersecurity practices across main industries like insurance. Their letter signals growing congressional interest in sector-wide cyber preparedness and accountability.
FAQs
Who are Senators Cassidy and Hassan, and why are they involved?
Sen. Cassidy chairs the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Sen. Hassan is a committee member. They are seeking clarity on the Aflac breach due to its implications for health data security.
What is Scattered Spider, and why is it being linked to the breach?
Scattered Spider is a known threat group that has recently shifted focus to the insurance sector. Researchers say the Aflac attack shares similarities with the group’s previous campaigns, though attribution has not been confirmed.
Why did Aflac report only 500 affected individuals?
That number is a placeholder required for initial breach notifications under federal regulations. The final number will be updated once the file review is complete.
How does this breach differ from typical ransomware attacks?
Unlike traditional ransomware attacks, this breach involved data theft without file encryption. The group may be shifting tactics to focus solely on extortion based on stolen data.
Farah Amod
