Senate Demands Aflac to Provide Details on Recent Cybersecurity Breach
Post Summary
Aflac experienced a cyberattack in June 2025, potentially exposing sensitive customer data, including health and Social Security information.
Aflac initiated its cybersecurity response protocols and contained the intrusion within hours.
U.S. Senators are demanding transparency from Aflac about the breach, including whether private consumer data was accessed and how the company plans to prevent future incidents.
The breach potentially exposed customer health information, Social Security numbers, and other personal data.
The incident underscores the growing threat of cyberattacks on the healthcare sector, which jeopardize patient data and disrupt critical care.
Senators have introduced legislation to strengthen cybersecurity in the healthcare sector and protect sensitive data.
Aflac, one of the largest supplemental health insurance providers in the United States, is under scrutiny from the U.S. Senate following a recent cybersecurity breach that compromised sensitive data. A Senate committee, led by Senators Bill Cassidy, M.D. (R-La.) and Maggie Hassan (D-N.H.), has requested further details about the incident, which was first disclosed to regulators in June. The committee is pressing Aflac for more clarity on how the breach unfolded and the measures the company is taking to prevent future incidents.
Senators Seek Transparency
In a letter dated August 22, the Senate Health, Education, Labor and Pensions (HELP) Committee demanded answers from Aflac CEO Daniel Amos. The letter specifically asked the company to explain its cybersecurity protocols - both digital and physical - prior to the breach. The senators also called on Aflac to detail the steps it is taking to safeguard its systems and determine whether private consumer and patient data were accessed in the attack.
The lawmakers emphasized the importance of transparency, writing that cyberattacks pose "substantial risk to the healthcare system and American patients." They have requested a response from Aflac by September 5.
Timeline of the Breach
Aflac first notified regulators at the U.S. Securities and Exchange Commission (SEC) about the breach on June 20. At the time, the company described the incident as part of a "cybercrime campaign" targeting the insurance sector. The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool later revealed that at least 500 individuals' protected health information had been compromised, though this number is likely a placeholder estimate.
In public statements, Aflac has claimed it "stopped the intrusion within hours." However, this has not quelled concerns from lawmakers, who are seeking "additional transparency" about the scope of the breach.
Rising Threats to Healthcare
The Senate’s letter drew attention to the growing frequency and impact of cyberattacks on the healthcare and insurance industries. "Last year, there were over 700 large data breaches that impacted approximately 276 million Americans", the letter stated. These incidents not only lead to significant financial costs - averaging $9.77 million per breach - but have also disrupted healthcare services, resulting in delayed appointments and medication errors.
The senators note that federal agencies have warned of increasing threats to healthcare entities, including potential attacks by foreign actors like Iran. The Aflac breach, they wrote, highlights the ongoing risks to patients and critical infrastructure.
Industry Comparisons and Questions
The letter also references a February 2024 ransomware attack on Change Healthcare, a UnitedHealth Group IT services unit, which led to the largest health data breach in U.S. history, affecting 192.7 million individuals. Lawmakers are urging Aflac to explain whether it has adopted cybersecurity best practices used by other critical infrastructure sectors.
In addition, the senators have asked Aflac to clarify when it first became aware of the attack and to outline efforts to identify compromised information. They also want to know how Aflac is communicating with affected individuals and what additional reporting the company plans to provide beyond what is required by HIPAA.
Broader Legislative Efforts
This inquiry comes amidst broader legislative efforts to strengthen cybersecurity in the healthcare sector. Last year, Senators Cassidy and Hassan, along with colleagues Mark Warner (D-Va.) and John Cornyn (R-Texas), introduced the Health Care Cybersecurity and Resiliency Act of 2024. The bipartisan bill aims to improve cybersecurity coordination between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency. However, like similar efforts in recent years, the bill has yet to gain traction in Congress.
Aflac’s Silence
As of now, Aflac has not responded to inquiries from Information Security Media Group regarding the Senate’s letter or for further details about the breach. Likewise, the Senate HELP Committee has not commented on whether it plans to hold hearings on the incident.
The letter underscores the urgency of addressing cybersecurity vulnerabilities in the healthcare and insurance sectors, as lawmakers push for greater accountability and transparency from industry leaders like Aflac.
Key Points:
What is the Aflac cybersecurity breach, and when did it occur?
- The breach occurred in June 2025.
- Aflac experienced unauthorized access to its U.S. network.
- Sensitive customer data, including health records, Social Security numbers, and claims data, may have been exposed.
How did Aflac respond to the cyberattack?
- Aflac activated its cybersecurity incident response protocols immediately.
- The intrusion was contained within hours of detection on June 12, 2025.
- The company launched an investigation to assess the scope of the breach.
Why is the U.S. Senate demanding answers from Aflac?
- Senators are seeking transparency about the breach’s impact on consumer and patient data.
- They want details on how Aflac safeguarded protected health information (PHI) before the incident.
- The Senate is also pressing for information on Aflac’s plans to prevent future breaches.
What data may have been compromised in the breach?
- Potentially exposed data includes:
- Health records.
- Social Security numbers.
- Claims and other personal information.
- The exact number of affected individuals has not been disclosed.
What broader implications does this breach have for the healthcare sector?
- The breach highlights the growing vulnerability of the healthcare industry to cyberattacks.
- In 2024, over 700 large-scale data breaches impacted 276 million Americans.
- These incidents disrupt patient care and expose sensitive data, emphasizing the need for stronger cybersecurity measures.
What legislative actions are being taken to address healthcare cybersecurity risks?
- Senators have introduced legislation to strengthen cybersecurity in the healthcare sector.
- The proposed measures aim to:
- Protect patient data.
- Prevent disruptions to critical care services.
- Address vulnerabilities exposed by incidents like the Aflac breach.
