Aflac Inc., the prominent supplemental insurance provider, is now facing a proposed class-action lawsuit in the wake of a significant cybersecurity breach that exposed sensitive customer information. The lawsuit, filed by a leading Alabama law firm, claims that Aflac failed to implement sufficient safeguards to protect policyholders’ private data, despite being aware of the growing threat of cyberattacks within the industry.

The complaint, submitted in the U.S. District Court for the Middle District of Georgia—where Aflac maintains its corporate headquarters in Columbus—was brought on behalf of lead plaintiff Martha Graham, a policyholder residing in Union Springs, Alabama. The case is being spearheaded by Beasley, Allen, Crow, Methvin, Portis & Miles P.C., a high-profile Montgomery-based law firm known for major civil litigation, and co-led by former Alabama Lieutenant Governor Jere Beasley.

Negligence Alleged in Data Security Practices

According to the lawsuit, Aflac either negligently or deliberately failed to take proper cybersecurity precautions. The complaint argues that the company did not follow industry best practices or heed well-known government and private-sector recommendations for data protection, thereby exposing its systems to unauthorized access.

“Defendant disregarded the rights of Plaintiff and Class Members by knowingly, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” the complaint alleges.

The incident, disclosed by Aflac just days before the suit was filed, reportedly involves a sophisticated hacking campaign attributed to a cybercriminal group known as Scattered Spider. This group is believed to be behind a string of coordinated attacks targeting the insurance and financial services sectors.

Delay in Notification Criticized

One of the most serious criticisms outlined in the lawsuit is Aflac’s delay in notifying its customers about the breach. The complaint accuses the company of withholding essential information, such as the exact date the cyberattack occurred, the timeline of its internal investigation, and the specific vulnerabilities that were exploited by the attackers.

“The notice provided by Aflac omitted critical facts, including when the data breach occurred, the length of time the attackers had access to the system, and what corrective actions the company took to address the breach,” the filing states. “Aflac failed to inform policyholders for more than a week after discovering the intrusion, leaving customers in the dark and vulnerable to further harm.”

In response to the breach, Aflac is offering affected individuals free credit monitoring services, identity theft protection, and related security tools for a period of 24 months. An Aflac spokesperson declined to comment on the lawsuit directly but shared a customer service number—855-361-0305—for those seeking assistance or information about the incident.

Claims for Damages and Broader Industry Concerns

The lawsuit seeks both compensatory and punitive damages, arguing that the compromised data may be used for a wide range of fraudulent activities. These include unauthorized credit card applications, fraudulent loans, illicit access to government benefits, and tax refund theft—each of which can result in long-term financial and emotional damage for victims.

“By failing to secure the private information of its customers, Aflac has placed them at serious and ongoing risk,” said the plaintiff’s attorneys. “This breach could have been prevented if the company had implemented industry-standard data protection protocols.”

The filing also references cybersecurity best practices recommended by federal agencies and Microsoft’s Threat Protection Intelligence Team. These include multi-factor authentication, endpoint detection and response systems, regular penetration testing, and employee cybersecurity training. The plaintiffs argue that Aflac failed to implement or enforce these measures in a meaningful way.

Wider Legal Trend

This lawsuit is part of a broader wave of litigation in the aftermath of major data breaches, as more consumers and advocacy groups demand accountability from corporations that store personal and financial data. Over the past several years, dozens of class actions have been initiated following similar cybersecurity incidents, with varying outcomes.

Legal experts note that companies can face significant reputational and financial repercussions if found to have been lax in their data security responsibilities. Courts are increasingly scrutinizing whether companies acted reasonably in protecting user data and in how promptly and transparently they responded to cyber incidents.

Next Steps

As of now, Aflac has yet to file a formal response to the class-action complaint. Legal analysts anticipate that the case could prompt further inquiries into the insurer’s cybersecurity practices and may even set a precedent for how courts interpret data protection obligations under federal and state consumer protection laws.

Policyholders and others affected by the breach are encouraged to monitor their credit, report any suspicious activity, and consider enrolling in the company’s offered identity theft protection program while the litigation unfolds.