The math is brutal, but it's working exactly as intended.
When Aflac announced that hackers had stolen the personal and health data of 22.6 million people, the news cycle treated it like weather: unfortunate, predictable, something to endure. The company's stock price barely flinched. Their executives didn't resign in shame. Instead, they filed the required paperwork, hired the mandated PR firms, and began the well-rehearsed dance of breach notification.
This isn't incompetence. It's optimization.
The American healthcare system has turned patient data breaches into a manageable business expense, and the current regulatory framework is accidentally incentivizing companies to treat cybersecurity as a post-breach cleanup operation rather than a preventive discipline. The result is a system where losing 22.6 million patient records generates less corporate anxiety than a bad quarterly earnings report.
The New Economics of Healthcare Privacy
The Aflac breach reveals something disturbing about how we've structured healthcare data protection in America. When a company can lose the most sensitive information of nearly half the population of South Korea and face consequences that amount to a rounding error on their balance sheet, we've created a system that actively discourages real security investment.
Consider the economics from Aflac's perspective. The company serves approximately 50 million customers, meaning this breach affected nearly half their entire customer base. The stolen data wasn't just names and addresses, it included Social Security numbers, medical information, and health insurance details. This is the complete profile needed for identity theft, insurance fraud, and medical identity theft that can haunt victims for decades.
Yet Aflac's response follows a playbook that has become depressingly familiar: acknowledge the breach months after discovery, hire a credit monitoring service, send out form letters, and wait for the news cycle to move on. The total cost of this approach, including legal fees, regulatory fines, and remediation efforts, will likely be less than what the company spends on marketing in a single quarter.
This isn't a bug in the system, it's a feature. We've created an environment where the rational business decision is to treat cybersecurity as a compliance checkbox rather than an existential priority.
The Scattered Spider Pattern
The timing of the Aflac breach tells an even more troubling story. The attack likely came from Scattered Spider, the collective of English-speaking hackers that was systematically targeting insurance companies throughout 2024 and early 2025. Aflac wasn't an isolated victim, they were part of a coordinated campaign that also hit Erie Insurance and Philadelphia Insurance Companies.
This means Aflac wasn't caught by a zero-day exploit or a novel attack vector. They were hit by a known threat actor using established tactics against a sector that was publicly known to be under siege. The failure here wasn't just technical, it was strategic. The company had warning, had context, and still couldn't prevent the breach.
When pressed for details, Aflac's response was telling: they acknowledged that federal law enforcement had identified the attackers as part of a known criminal organization targeting the insurance industry. In other words, this wasn't a surprise attack by sophisticated state actors. This was getting robbed by criminals who had already robbed your neighbors, while wearing the same disguise, using the same methods, at roughly the same time of day.
The fact that this level of predictable threat succeeded suggests that Aflac's security posture was optimized for something other than actually stopping attackers.
The Regulatory Theater Problem
The current healthcare data protection framework, anchored by HIPAA and various state breach notification laws, has created what security professionals privately call "regulatory theater." Companies invest enormous resources in compliance activities that create the appearance of security while providing minimal actual protection.
HIPAA penalties, even when fully enforced, rarely exceed the low millions for even massive breaches. State attorneys general can issue fines, but these are typically negotiated down to amounts that barely register on insurance company balance sheets. The FTC can step in with consent decrees, but these usually result in promises to "do better" rather than material financial consequences.
Meanwhile, the breach notification requirements have created a perverse transparency problem. Companies must disclose when they've been breached, but they face no meaningful requirement to disclose their security investments, threat modeling, or risk assessment processes. We know everything about their failures and nothing about their efforts to prevent those failures.
This creates an information asymmetry that benefits companies at the expense of patients. Healthcare organizations can spend the absolute minimum on security, knowing that any breach will be treated as an unfortunate incident rather than evidence of negligent risk management.
The Normalization Trap
Perhaps most disturbing is how quickly we've normalized healthcare data breaches as an inevitable part of modern life. When 22.6 million people have their most sensitive information stolen, the dominant narrative isn't "how do we prevent this from happening again?" but "here's how to sign up for credit monitoring."
This normalization serves corporate interests perfectly. Every major breach that passes without catastrophic consequences for the breached organization makes the next breach seem more acceptable. We've created a social context where losing patient data is treated like a natural disaster rather than a preventable failure of corporate responsibility.
The healthcare industry has successfully reframed data security as a shared responsibility between organizations and individuals. Patients are expected to monitor their credit, watch for signs of medical identity theft, and generally live with the consequences of corporate security failures. We've socialized the risks of poor cybersecurity while privatizing the cost savings of minimal security investment.
The Insurance Irony
The Aflac breach highlights a particular irony in healthcare data protection. Insurance companies exist to help individuals and organizations manage risk by pooling resources and spreading consequences across many participants. Yet when it comes to cybersecurity, these same companies are systematically externalizing their risk onto the very customers they claim to protect.
Aflac customers didn't choose to have their data stored in systems that couldn't resist known attackers using established tactics. They didn't opt into a risk-sharing arrangement where corporate cost-cutting decisions would expose them to decades of potential identity theft. Yet they're the ones who will spend years dealing with the consequences while Aflac returns to business as usual.
This represents a fundamental misalignment of incentives. The organization with the most control over security decisions (the company) faces the least long-term consequences from security failures, while the individuals with no control over those decisions (the patients) bear the majority of the ongoing risk.
What Real Accountability Would Look Like
The alternative to our current system isn't complicated, it's just politically difficult. Real accountability for healthcare data breaches would require consequences that match the severity of the harm caused.
First, liability caps for healthcare data breaches should be eliminated. If a company loses sensitive data for 22.6 million people, they should face potential damages that reflect the lifetime cost of that exposure, not artificial limits designed to keep settlements manageable.
Second, breach penalties should scale with organizational revenue, not just the size of the breach. A $10 million fine is a rounding error for a company with billions in annual revenue, but it would be existential for a smaller organization. Penalties need to hurt enough to change behavior.
Third, healthcare organizations should face meaningful transparency requirements around their security investments and risk management practices. Patients deserve to know how much their healthcare providers are spending on cybersecurity relative to other operational costs.
Most importantly, healthcare data breaches should trigger automatic regulatory scrutiny of organizational leadership and governance practices. When 22.6 million people have their data stolen, that should raise questions about whether the responsible executives are competent to continue managing sensitive information at scale.
The Path Forward
The Aflac breach isn't an isolated incident or a cautionary tale about sophisticated attackers. It's evidence of a system working exactly as designed, where rational business decisions lead to predictable security failures because we've made those failures cost less than prevention.
Until we align the economic incentives with the actual risks involved, we'll continue to see healthcare organizations treat cybersecurity as a compliance exercise rather than an operational imperative. The current system rewards companies for spending just enough on security to meet regulatory requirements while externalizing the real costs of failure onto patients who have no choice but to accept the risk.
Twenty-two point six million people didn't choose to have their most sensitive information exposed to criminals. They trusted Aflac to protect it, and that trust was betrayed by a system that makes betrayal profitable. The next breach is already being planned by the next group of attackers, and the next company is already calculating whether prevention or cleanup costs less.
We know how this story ends because we've seen it dozens of times before. The only question is whether we're willing to change the economics that make it inevitable.
,-
**
Top comments (0)