Aflac Hit With Class Action Over Data Breach of Customer Info

An Alabama law firm wasted little time in filing a proposed class-action lawsuit against Aflac Inc., claiming the supplemental insurance giant knew the risks of a cyberattack and failed to protect policyholders’ private information.

“Defendant disregarded the rights of Plaintiff and Class Members by … intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” reads the complaint filed on behalf of lead plaintiff Martha Graham, an insured who lives in Union Springs, Alabama.

Related: Aflac Reports Potential Leak of Personal Data in Breach

The suit came just days after Aflac disclosed the cybersecurity incident, in which customers’ personal information was compromised. The attack is believed to be part of a widespread hack against several insurance companies by a group known as Scattered Spider, according to the complaint and news reports.

The suit is being handled by the well-known Beasley, Allen law firm, based in Montgomery, Alabama, and led in part by former Alabama Lt. Gov. Jere Beasley. The complaint was filed in federal court in the Middle District of Georgia, where Aflac is headquartered in Columbus. It faults Aflac for waiting to notify affected policyholders and failing to give complete information.

“Omitted from the notice were the dates of the data breach, the dates of Defendant’s investigation, any explanation as to why Defendant failed to inform Plaintiff and Class Members of the Data Breach’s occurrence for more than a week after detecting the cyberattack, the details of the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again,” the complaint reads.

Related: Insurance Sector Should Be on the Lookout for ‘Scattered Spider’ Hackers

The company has not yet filed a response to the complaint, and an Aflac representative said the company could not comment about the suit. The insurer is offering free credit monitoring, identity theft protection and other protections for 24 months. Customers can call 855-361-0305, the spokesperson said in an email.

The plaintiffs ask for compensatory and punitive damages, noting that their personal information can be used to commit crimes, including opening accounts in customers’ names; taking out loans; gaining government benefits and tax refunds.

The suit also lists multiple steps that Aflac should have taken to ensure the security of the information, as recommended by the federal government and by Microsoft’s Threat Protection Intelligence Team.

Those recommendations and the complaint can be seen here.

The legal action is the latest of dozens of class actions that have been pursued after cyber attacks in recent years. Most of them allege that victimized companies should have better protected customers’ information, according to news reports and ClassAction.org.

Photo: Adobe Stock images.