Aflac Data Breach Lawsuit Alleges Failure to Protect Sensitive Customer Data

Milberg attorneys have filed a class action lawsuit against Aflac, claiming that the insurance giant was aware of the risks of a cyberattack and failed to protect customers’ sensitive information from a recent hack.

What to Know:

• Aflac disclosed a cybersecurity incident in June 2025.
• Exposed data may include personally identifiable information (PII) and protected health information (PHI), such as Social Security numbers and claims data.
• Plaintiffs allege Aflac failed to encrypt or adequately safeguard this data.
• The breach is believed to be part of a string of coordinated attacks on insurers by cybercrime group “Scattered Spider.”
• The class action lawsuit seeks damages and injunctive relief, and millions of impacted individuals may be eligible to join.

The Aflac Data Breach: What Happened

If it looks like a data breach and sounds like a data breach…it’s probably a data breach.

Aflac, the insurance company known for its duck mascot—and the largest provider of supplemental insurance in the United States—has stopped short of calling what happened to its network in June a “data breach,” instead using terms like “intrusion” and “cyber incident” to refer to the cyberattack and resulting exposed data.

Indeed, Aflac has disclosed very little information about the attack. But what it has revealed so far should be deeply concerning to anyone in the United States who does business with the insurer.

Defendant disregarded the rights of Plaintiff and Class Members by failing to implement reasonable measures to safeguard the Private Information of its current and former customers, beneficiaries, employees, agents, and other individuals in its U.S. business, and by failing to take necessary steps to prevent unauthorized disclosure of that information.

On June 12, 2025, Aflac detected “suspicious activity” on its U.S. network and initiated its cybersecurity incident response protocols. The company reported that it was able to stop the attack within hours, with no disruption to its core operations such as claims processing and customer service.

Aflac notified customers about the incident on June 20, 2025, through email and a press release. According to those notifications and subsequent reports, an unauthorized third party accessed systems containing sensitive information, including claims data, health records, Social Security numbers, and other personally identifiable information tied to policyholders, beneficiaries, employees, agents, and others.

The company described the attack as part of a larger campaign by a sophisticated cybercrime group using social engineering techniques to bypass security measures. The investigation remains ongoing, and Aflac has not publicly confirmed the total number of individuals affected. However, as a major insurance provider, millions of records may have been exposed. The company claims to provide financial protection for more than 50 million people worldwide.

Aflac engaged third-party cybersecurity experts to assist with containment and remediation efforts. The insurer also offered 24 months of free credit monitoring, identity theft protection services, and established a dedicated call center to assist impacted individuals.

The Aftermath: Milberg’s Aflac Class Action Lawsuit

Just days after Aflac notified customers of the data breach, lead plaintiff Jessica Batiste and attorneys at Milberg filed a data breach class action complaint in Georgia federal court.

Batiste alleges that Aflac failed to implement reasonable cybersecurity measures, leaving millions of individuals exposed to identity theft and other harms. Her complaint claims Aflac disregarded industry standards and federal guidance when it failed to encrypt sensitive data stored on its network. This failure allegedly allowed attackers to exfiltrate unencrypted data containing the stolen personal information.

Batiste, a Texas resident, says she has experienced emotional distress and anxiety over potential misuse of her data. She contends that two years of credit monitoring offered by Aflac is insufficient to address the long-term risks posed by the breach and anticipates spending considerable time and money moving forward to try to mitigate its harms and the lifetime risk of identity theft and fraud. Her lawsuit seeks:

• Monetary relief for affected individuals
• Punitive damages to deter future negligence
• Injunctive relief requiring Aflac to adopt stronger data security practices
• Extended identity theft protection for all impacted consumers

Batiste has asked the court to certify a nationwide class of all U.S. residents whose information was compromised. If the Aflac data breach lawsuit is approved, millions could potentially join the action. Batiste and the class are represented by Milberg attorney Casondra Turner of the firm’s Knoxville, TN office, whose primary area of focus is Information Technology class action matters.

Was Aflac Attack Part of a Coordinated Cybercrime Campaign?

Aflac denied that the attack involved ransomware and said its initial assessment indicated the intruders used so-called “social engineering tactics” to access the network.

Cyber Magazine writes that human vulnerability to “being exploited by lies, curiosity or fear” is behind a rapid increase in “social engineering” cybercrime.

Social engineering tactics rely on deception and exploiting human vulnerabilities to make people willingly hand over sensitive information, rather than relying on strictly technical exploits. And they’re increasing in volume and complexity as attackers leverage new and emerging technologies like AI. These high-tech con-artist style strategies, for example, were blamed for the Coinbase data breach of May 2025 and have shown an uptick in the crypto and other sectors.

Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert

Aflac has not disclosed details about how the hackers might have used social engineering to access its network. It stated, however, that based on intelligence from the cybersecurity community, the incident may be part of a broader series of cyberattacks targeting insurers.

“This was part of a cybercrime campaign against the insurance industry,” Aflac explained in its press release.

The likely attacker, reports The HIPAA Journal, is Scattered Spider, a group known for concentrating attacks against large companies in one sector at a time.

In the weeks prior to the Aflac data breach, the Erie Insurance Group and the Philadelphia Insurance Companies also experienced data breaches that bear the hallmarks of Scattered Spider, which, according to the Journal, include phishing attacks, push bombing, SIM swapping, information harvesting, impersonating high-level individuals (e.g., the CFO), and requesting an urgent password reset or a new multifactor authentication.

On June 16, just days before the Aflac incident, Google warned the insurance industry to be on “high alert” following multiple confirmed incidents at insurance companies.

“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” John Hultquist, chief analyst at Google Threat Intelligence Group, said in a statement.

As cyberthreats evolve, and more and more personal data is put at risk, Milberg’s Cybersecurity & Privacy practice will continue filing lawsuits to hold negligent data handlers liable.