Chair Cassidy, Hassan Request Information on Aflac Data Breach Amid Growing Cyberattacks on Health Sector

WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) requested information from Aflac following a recent cyberattack on their internal data systems.

This comes amid increasing cyberattacks on the health care sector. In 2024, there were over 700 large data breaches that impacted approximately 276 million Americans. These attacks not only threaten Americans’ sensitive health data, but delay lifesaving care to patients.

“The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders,” wrote the senators. “While Aflac has stated that it ‘stopped the intrusion within hours,’ additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.”

Last month, the HELP Committee held the first hearing on cybersecurity since 2022 to discuss solutions to secure and safeguard patient data. Cassidy and Hassan along with U.S. Senators John Cornyn (R-TX) and Mark Warner (D-VA) introduced legislation to strengthen cybersecurity in the health care sector and protect Americans’ health data. This legislation is a product of the senators’ health care cybersecurity working group launched last year.

Read the full letter here or below.

Dear Mr. Amos,

Cybersecurity threats pose a substantial risk to the health care system and American patients. Last year, there were over 700 large data breaches that impacted approximately 276 million Americans.^[1] These attacks not only cost impacted organizations an estimated $9.77 million per incident but also have led to interruptions in health care, including medication errors and delayed patient appointments.^[2] Numerous federal agencies have recently warned of the growing risk of potential attacks by hostile actors, including Iran, against U.S. health care entities.^[3]

The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders. While Aflac has stated that it “stopped the intrusion within hours,” additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward. Therefore, I ask that you answer the following questions on a question-by-question basis by September 5, 2025:

1. What security protocols, both cyber and physical, does Aflac have in place to protect against a cyberattack?

2. How does Aflac incorporate cybersecurity best practices implemented by other critical infrastructure sectors?

3. When did Aflac first become aware of a cyberattack on its systems?

4. When did Aflac notify federal agencies of a cyberattack, and which agencies did Aflac notify?

5. Aflac has stated that “potentially impacted files contain claims information [and] health information.”^[4]
1. What steps is Aflac taking to identify what information may have been compromised?
2. When does Aflac expect to finalize steps to identify this information?
3. How is Aflac proactively communicating with potentially impacted individuals and entities?

6. What remedial steps has Aflac taken or intend to take to improve its security protocols?
7. What additional reporting does Aflac commit to doing for individuals who have had their information disclosed, beyond the reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA)?

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.