Aflac disclosed that a cybersecurity incident affecting its U.S. business exposed personal information tied to approximately 22.65 million people. The company confirmed this number after completing a review of potentially impacted files, following the initial disclosure of suspicious activity in June.

The incident involved data related to customers, beneficiaries, employees, agents, and others, including names, contact details, claims data, health information, Social Security numbers, and other sensitive information. Aflac stated it contained the intrusion within hours, did not experience ransomware, and remained operational throughout.

After detecting the incident, Aflac secured affected accounts, reset passwords, and increased monitoring. The company says it is not currently aware of any fraudulent misuse of the data. Impacted individuals are now being notified, and Aflac has already provided credit monitoring, identity theft protection, and medical fraud protection.

Aflac attributed the attack to a sophisticated cybercrime group targeting the insurance industry, aligning with broader trends noted by the FBI’s IC3, which reported data breaches as one of the most common cybercrimes in 2024.