U.S. Senators Bill Cassidy, chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan have requested information from Aflac regarding a recent cyberattack on the company’s internal data systems. The request comes as cyberattacks on the health care sector continue to rise.
In 2024 alone, more than 700 large data breaches impacted approximately 276 million Americans. These incidents not only put sensitive health data at risk but have also caused delays in patient care.
“The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders,” wrote the senators. “While Aflac has stated that it ‘stopped the intrusion within hours,’ additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.”
The HELP Committee recently held its first hearing on cybersecurity since 2022 to discuss ways to better secure patient data. Senators Cassidy and Hassan, along with John Cornyn and Mark Warner, introduced legislation aimed at improving cybersecurity in health care. This legislative effort stems from a working group launched last year focused on this issue.
The letter sent by Cassidy and Hassan outlines several questions for Aflac’s leadership. They seek details about security protocols in place before the attack, when Aflac became aware of the breach, which federal agencies were notified and when notifications occurred. The senators also want information about what types of files may have been compromised—Aflac has indicated these could include claims or health information—and how potentially affected individuals are being informed.
Additional questions address remedial actions taken by Aflac since the breach and any plans for further reporting beyond what is required under HIPAA regulations.
Federal agencies have warned of increased threats from hostile actors targeting U.S. health care entities. Data breaches in this sector can be costly for organizations—with average costs per incident reaching $9.77 million—and can result in disruptions such as medication errors or delayed appointments.
A response from Aflac is requested by September 5, 2025.
