PrivacyOn
SecurityJune 14, 20268 min read

What to Do After the Aflac Data Breach

SC

By Sarah Chen

Head of Privacy Research

What to Do After the Aflac Data Breach

Don't want to do this by hand? We remove your info from 100+ broker sites automatically.

Aflac, one of the largest supplemental insurance providers in the United States, disclosed a massive data breach affecting approximately 22.65 million people — including customers, beneficiaries, employees, and agents. The breach, attributed to the cybercriminal group Scattered Spider, resulted in the exfiltration of highly sensitive personal data before Aflac could shut down access. If you are among the millions affected, here is exactly what you need to do to protect yourself.

What Happened in the Aflac Breach

The attack was carried out by Scattered Spider, an English-speaking cybercriminal group known for posing as IT workers to gain access to corporate systems. Unlike many high-profile cyberattacks, this was not a ransomware attack — the attackers did not encrypt Aflac's systems or demand payment. Instead, they infiltrated Aflac's network and exfiltrated massive amounts of personal data before being detected.

Aflac stated that the unauthorized access was thwarted "within hours," but by that point, the damage was already done. The stolen data had been copied and removed from Aflac's systems. With 22.65 million individuals affected, this stands as one of the largest data breaches in the history of the insurance industry.

What Data Was Stolen

The scope of the stolen data is extensive and includes some of the most sensitive categories of personal information:

  • Full names and dates of birth
  • Home addresses
  • Social Security numbers
  • Government-issued ID numbers (passports, state IDs)
  • Driver's license numbers
  • Medical and health insurance information
  • Insurance claims data

This Is an Especially Dangerous Breach

The combination of Social Security numbers, government IDs, medical records, and home addresses gives criminals virtually everything they need to commit identity theft, open fraudulent accounts, file fake insurance claims, or carry out targeted phishing attacks. Unlike a password, you cannot simply change your Social Security number or date of birth.

Immediate Steps to Take Now

1. Freeze Your Credit at All Three Bureaus

Because Social Security numbers were compromised, freezing your credit is the single most important step you can take. A credit freeze blocks lenders from accessing your credit report, preventing criminals from opening new accounts in your name. It is completely free and does not affect your credit score.

  • Equifax: equifax.com/personal/credit-report-services/credit-freeze
  • Experian: experian.com/freeze
  • TransUnion: transunion.com/credit-freeze

Also freeze your credit at Innovis (innovis.com) and ChexSystems (chexsystems.com) to close gaps that identity thieves exploit.

2. Enroll in Aflac's Free Identity Protection

Aflac is offering two years of complimentary identity protection services to affected individuals. If you received a breach notification letter from Aflac, follow the enrollment instructions carefully. These services typically include credit monitoring, identity restoration assistance, and insurance coverage for identity theft expenses. Do not let this benefit expire unused — enroll as soon as possible.

3. Change Your Passwords

Change your password on any Aflac-related accounts immediately. If you used the same password elsewhere — especially on email, banking, or insurance accounts — change those too. Use a password manager to generate unique, strong passwords for every account, and enable two-factor authentication (2FA) wherever it is available.

4. Request an IRS Identity Protection PIN

With your Social Security number exposed, criminals may attempt to file a fraudulent tax return in your name. Visit irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin to obtain an IP PIN, which prevents anyone else from filing a return using your SSN.

5. File a Report with the FTC

Even if you have not yet seen signs of fraud, filing a report at IdentityTheft.gov creates an official record and gives you access to a personalized recovery plan. If fraud does occur later, having this report on file strengthens your case with creditors and law enforcement.

Skip the manual opt-outs

One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.

See where you're exposed — free 60-second scan

Watch for Phishing Attacks Targeting Aflac Customers

After any major breach, phishing attacks targeting the affected company's customers surge. Criminals already know your name and that you have a relationship with Aflac, which makes their fake emails and calls far more convincing.

  • Be skeptical of any communication claiming to be from Aflac — especially emails, texts, or calls asking you to click a link, verify your identity, or provide additional personal information.
  • Do not click links in emails. Instead, go directly to aflac.com by typing the address into your browser.
  • Verify phone calls independently. If someone calls claiming to be from Aflac, hang up and call the official Aflac customer service number listed on your policy documents.
  • Watch for impersonation scams. Because Scattered Spider is known for social engineering tactics, be wary of anyone claiming to be an Aflac representative, insurance agent, or IT support technician.

Red Flags for Phishing

Legitimate breach notifications from Aflac will never ask you to provide your Social Security number, password, or financial account details by email or phone. Any communication that creates urgency ("your account will be locked") or requests sensitive information is almost certainly a scam.

Long-Term Protection Steps

The effects of a breach this severe extend far beyond the initial incident. Your stolen data may be sold, traded, or used for years to come. Take these ongoing steps to protect yourself:

  • Monitor your credit reports regularly. Check your free reports at AnnualCreditReport.com for unfamiliar accounts, hard inquiries, or address changes you did not authorize.
  • Review medical insurance statements. Since health insurance information was stolen, watch for Explanation of Benefits (EOB) statements for services you did not receive. Medical identity theft can result in fraudulent claims filed under your insurance and incorrect entries in your medical records.
  • Check your Social Security statement. Visit ssa.gov to review your earnings record for any unauthorized activity.
  • Set up transaction alerts on all bank accounts and credit cards so you are notified immediately of any unusual activity.
  • File your tax return early each year to beat potential fraudsters who may attempt to file using your stolen SSN.

How PrivacyOn Helps After a Breach Like This

When a breach of this magnitude occurs, the stolen data does not stay in one place. Within weeks, your personal information can appear on data broker websites, people search sites, and dark web marketplaces. These sites make it trivially easy for anyone — from identity thieves to scammers — to find your name, address, phone number, and more.

PrivacyOn attacks this problem at the source. It continuously monitors 100+ data broker sites and submits removal requests on your behalf, pulling your personal information out of the databases where criminals and scammers go to find their targets. PrivacyOn also includes dark web monitoring, which alerts you if your data surfaces in leaked databases or criminal forums. For Aflac breach victims, this combination of data removal and ongoing surveillance provides a critical layer of protection that complements credit freezes and identity monitoring.

Frequently Asked Questions

How do I know if I was affected by the Aflac breach?

Aflac is sending notification letters to affected individuals. If you are a current or former Aflac customer, beneficiary, employee, or agent, check your mail and email for correspondence from Aflac. You can also contact Aflac's customer service directly to ask whether your data was involved.

Is the free identity protection from Aflac enough?

Aflac's two-year identity protection offer is a good starting point, but it primarily monitors for fraud after it happens. It does not remove your personal information from the data broker sites where criminals find their targets. Pairing it with a data removal service like PrivacyOn provides more comprehensive, proactive protection.

Should I close my Aflac policy?

Closing your policy is a personal decision and does not undo the breach. Your data was already stolen regardless of whether you remain a customer. Focus on the protective steps outlined above rather than canceling coverage you may need.

Can criminals use my medical information?

Yes. Stolen medical and insurance information can be used to file fraudulent insurance claims, obtain prescription medications, or receive medical care under your identity. Review all EOB statements carefully and report any discrepancies to your insurer immediately.

How long should I keep monitoring my accounts?

Indefinitely. Stolen personal data — especially Social Security numbers and dates of birth — never expires. Criminals may wait months or years before using stolen information. Make credit monitoring, statement reviews, and early tax filing part of your ongoing routine.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Related Articles

Security

What to Do If Your Identity Is Stolen

Security

How to Freeze Your Credit at All Three Bureaus

Security

How to Protect Your Privacy After a Data Breach

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.