Aflac Data Breach Affects Over 2 Million Exposing Social Security Numbers

On June 12, 2025, Aflac Incorporated, one of the largest providers of supplemental insurance in the United States and Japan, identified suspicious activity on its network in the U.S. The company initiated its cyber incident response protocols and, within hours, contained the intrusion.

According to Aflac, the breach was part of a broader cybercrime campaign targeting the insurance industry. The attackers, described as a sophisticated cybercrime group, used social engineering tactics to gain unauthorized access to Aflac’s systems.

The breach resulted in the exposure of sensitive information belonging to more than two million people in the United States, including 2,055,982 individuals in Texas, 118,478 in Montana, 239,076 in Iowa, and 61,869 in Rhode Island.

The types of information exposed include personally identifiable information (PII) such as name, contact information, date of birth, Social Security number and tax ID number, as well as protected health information (PHI) including health information, medical record number, date of service, health insurance ID number and other health insurance details.

The exposed data related to customers, beneficiaries, employees, agents and others associated with Aflac’s U.S. business. Aflac discovered the breach on June 12, 2025, and began a detailed review of impacted files.

Beginning on Aug. 8, 2025, the company disclosed the breach to the following authorities:

• California Attorney General
• Montana Attorney General
• Texas Attorney General
• Iowa Attorney General
• Rhode Island Attorney General
• U.S. Department of Health and Human Services
• U.S. Securities and Exchange Commission (SEC)

The company also disclosed the breach on its website. Impacted individuals have been notified by mail.

Aflac Incorporated's response

For those affected by the breach, Aflac is offering 24 months of free CyEx Medical Shield, which includes credit monitoring, identity theft protection, medical fraud protection and customer support. Impacted individuals can enroll in these services by following the instructions provided in their notification letter.

The company is also operating a dedicated call center at 1-855-361-0305 to answer questions and provide support.

Given the nature of the breach, which involved both PII and PHI, affected individuals are encouraged to remain vigilant. It is advisable to review credit reports, financial accounts and insurance statements for suspicious activity. Placing a fraud alert or security freeze on credit files may provide additional protection.

If any suspicious activity is detected, individuals should promptly notify the relevant financial institution or company, and consider reporting incidents to law enforcement or the Federal Trade Commission.