According to CNET, insurance provider Aflac revealed in December 2025 that a data breach it first reported in June of that year compromised the personal data of 22.65 million people. The company stated that files containing information on customers, beneficiaries, and employees may have included contact details, claims data, health information, and critically, Social Security numbers. Aflac claims it addressed the breach within hours and began notifying customers soon after. On its homepage, the company links to a PDF detailing its response, which includes offering 24 free months of CyEx cybersecurity services for credit and identity theft monitoring. In a press release, Aflac downplayed the impact, stating it is not aware of any fraudulent use of the stolen information so far.
The Downplay Is The Story
Here’s the thing: the most telling part of this update isn’t the staggering number, which is bad enough. It’s the company’s immediate effort to downplay the consequences. Saying they’re “not aware of any fraudulent use” is standard corporate crisis PR, but it’s practically meaningless. Of course they aren’t aware yet. This kind of stolen data, especially Social Security numbers paired with health insurance details, doesn’t get used in a weekend. It gets sold on dark web forums, packaged into identity theft kits, and used fraudulently months or even years down the line. The real impact of this breach will be a slow-rolling nightmare for millions of people, not a single event. And offering two years of monitoring? That’s a start, but it’s a band-aid on a wound that never really heals. Once your SSN and health data are out there, they’re out there for good.
What’s Actually At Risk
So why is this combination of data so dangerous? It’s not just about credit cards. With a Social Security number and health insurance information, criminals can commit medical identity theft. They can file false insurance claims, get medical procedures under your name, and completely corrupt your medical history. Untangling that is a bureaucratic hellscape that makes fixing a fraudulent credit card charge look simple. It can affect your ability to get care, your insurance premiums, and your financial health for a lifetime. Aflac’s offering of medical information protection through CyEx acknowledges this, but it’s reactive, not preventative. The damage is already done. The company posted its official update in a press release and details in a PDF document, but for the affected individuals, the real documentation is just beginning.
A Pattern of Delayed Truth
Now, let’s talk about the timeline. The breach happened, was “addressed within hours,” and was first reported in June. But the full scale—22.65 million people—wasn’t revealed until December. That’s a six-month gap. Why? Companies often need time to fully investigate, but there’s also a well-worn playbook of dribbling out bad news to soften the blow. It’s easier to digest than one giant, terrifying announcement. But for the people whose data was stolen back in June, that’s six months where they were potentially vulnerable without knowing the full extent. It erodes trust. And when a company’s entire business is based on trust—you’re trusting them with your financial and health security—that erosion is catastrophic. Basically, the breach itself is a technical failure, but the communication around it is a leadership failure.
