Aflac Says 22.6M People Affected by Cyber Incident Earlier This Year
Aflac said its investigation has revealed a cybersecurity incident discovered six months ago affected more than 22.6 million individuals.
The Columbus, Georgia-based health and life insurer said in a statement earlier this month that it has started to notify impacted individuals but, to date, it is not aware of any fraudulent use of personal identifiable information and will continue to monitor the situation. Aflac said it determined on December 4 that the files potentially impacted likely contained personal information, triggering notifications.
Aflac in June announced it was investigating a breach on its U.S. network that may have exposed customers’ personal information. The cyberattack was discovered on June 12, and was thought to be the work of the cybercrime group known as Scattered Spider.
Soon after Aflac’s announcement, the Google Threat Intelligence Group issued an advisory that Scattered Spider appeared to have shifted its focus from retailers to insurers. Erie Insurance and Philadelphia Insurance each reported network outages as well. Erie in July said they had fully restored business operations and there was no evidence of a data breach. Days prior, Philadelphia said it restored its networks, adding that no ransomware event occurred.
In its latest statement, Aflac reiterated that it launched an immediate investigation with the help of a third-party cybersecurity experts, and it notified federal authorities. The insurer’s customers, beneficiaries, employees, agents, and other individuals related to Aflac were involved. Names, contact information, claims information, health information, social security numbers, and/or other personal information were potentially accessed.
“Importantly, the security incident was contained within hours; our systems were not affected by ransomware and remained operational,” Aflac said.
Also in June, Aflac was hit with a proposed class-action lawsuit in Georgia federal court. The case is still ongoing. Erie was also hit with two class-action lawsuits related to its cyber incident.