1. Home
  2. |Insights
  3. |Series of Major Data Breaches Targeting the Insurance Industry

Series of Major Data Breaches Targeting the Insurance Industry

Client Alert | 4 min read | 08.06.25

Threat actors have targeted insurance companies in a recent string of cyber-attacks, exposing patients’ personal information, including Social Security numbers, claims information, and health reports.

For example, Allianz Life Insurance Company of North America (“Allianz Life”) reported a mid-July breach to the Maine Attorney General’s Office that compromised Allianz Life’s data. According to public reports and the regulatory filing, the threat actor gained unauthorized access to Allianz Life’s systems through an external system, suggesting vulnerabilities in a third-party vendor. Since these reports, impacted individuals have filed a class action complaint in the U.S. District Court for the District of Minnesota, contending that Allianz Life failed to protect personal information due to negligence.

This incident comes shortly after Aflac Inc. (“Aflac”), another insurance company, disclosed a cybersecurity incident on July 7. The number of people impacted has not yet been reported. Erie Insurance (“Erie”) also announced a cyber-attack earlier this summer, causing widespread disruptions that interrupted business operations, which included closing customer portals used to pay bills, for nearly a month.

Threat Actor Attribution: Scattered Spider

It is unclear who is behind the Allianz Life, Aflac, or Erie attacks. However, cybersecurity intelligence organizations such as Crowdstrike and Mandiant, as well as various news sources, have warned that the threat actor group “Scattered Spider” is focusing efforts on large U.S. enterprises in the insurance industry. Scattered Spider employs sophisticated social engineering and identity theft tactics to bypass multi-factor authentication and internal security protocols. It has been linked to previous large-scale breaches, and its tactics are part of a broader trend of cybercriminal organizations exploiting supply chain vulnerabilities and third-party relationships.

Regulatory and Legal Implications

Given the nature and scope of the data compromised, targeted insurers may face significant regulatory scrutiny from multiple authorities, including:

  • State Attorneys General,
  • The Federal Trade Commission (FTC), and
  • The Department of Health and Human Services (HHS), if protected health information (PHI) is involved.

Additionally, companies may face:

  • Class-action litigation from impacted individuals,
  • Securities-related claims if disclosures related to the breach are deemed inadequate or misleading, or
  • Contractual liability with third parties whose data or systems were affected.

Key Takeaways for Clients

  • Third-Party Cybersecurity Risk: These recent attacks highlight the growing risks posed by third-party vendors. Organizations should evaluate their vendor management programs, particularly focusing on data sharing, access controls, and security certifications.
  • Incident Response Planning: Incident response planning should be proactive. The speed and effectiveness of incident response, including timely notification, containment, and forensic analysis, plays a critical role in mitigating risk.
  • Regulatory Compliance: Companies should ensure compliance with evolving state and federal breach notification and data privacy laws, including timely reporting and documentation practices.
  • Threat Actor Tactics Are Evolving: Scattered Spider and similar groups are employing increasingly sophisticated techniques to circumvent traditional controls, requiring organizations to stay vigilant.

Even though they themselves are victims of a crime, companies subject to a cybersecurity incident may face significant legal and regulatory exposure. Government investigators will expect a thorough and timely response, as will internal leadership, Board Members, customers, and stakeholders.

For these reasons, targeted insurers, as well as those across industries, should consider proactive steps to address these concerns, such as:

  • Conducting cybersecurity risk assessments focused on third-party vendors,
  • Reviewing and updating breach notification, response, and communication protocols,
  • Evaluating cyber insurance policies for adequacy and coverage, and
  • Monitoring regulatory developments and litigation related to a breach for precedent-setting implications.

Crowell & Moring LLP has unparalleled experience working with companies, particularly in the insurance, health care, and technology sectors, to address these risks and continues to monitor developments.

For additional information, please contact our team.

Insights

Client Alert | 4 min read | 08.07.25

File First, Facts Later? Eleventh Circuit Says That Discovery Can Inform False Claims Act Allegations in Amended Complaints

On July 25, 2025, the Eleventh Circuit Court of Appeals issued its decision in United States ex. rel. Sedona Partners LLC v. Able Moving & Storage Inc. et al., holding that a district court cannot ignore new factual allegations included in an amended complaint filed by a False Claims Act qui tam relator based on the fact that those additional facts were learned in discovery, even while a motion to dismiss for failure to comply with the heightened pleading standard under Federal Rule of Civil Procedure 9(b) is pending.  Under Rule 9(b), allegations of fraud typically must include factual support showing the who, what, where, why, and how of the fraud to survive a defendant’s motion to dismiss.  And while that standard has not changed, Sedona gives room for a relator to file first and seek out discovery in order to amend an otherwise deficient complaint and survive a motion to dismiss, at least in the Eleventh Circuit.  Importantly, however, the Eleventh Circuit clarified that a district court retains the discretion to dismiss a relator’s complaint before or after discovery has begun, meaning that district courts are not required to permit discovery at the pleading stage.  Nevertheless, the Sedona decision is an about-face from precedent in the Eleventh Circuit, and many other circuits, where, historically, facts learned during discovery could not be used to circumvent Rule 9(b) by bolstering a relator’s factual allegations while a motion to dismiss was pending.  While the long-term effects of the decision remain to be seen, in the short term the decision may encourage relators to engage in early discovery in hopes of learning facts that they can use to survive otherwise meritorious motions to dismiss....