Insurance has been targeted before and hit hard. Incidents like Anthem and CNA proved the sector holds valuable data and makes for a high-leverage target. But up until recently, the focus was elsewhere: retail, healthcare, critical infrastructure.

Now the pendulum is swinging back.

Threat groups are returning to insurance with new tactics and sharper focus. Instead of attacking the perimeter, they are exploiting broker portals, claims platforms, and the lightly governed vendor ecosystems that insurers rely on. This is not about brute force. It is about slipping through the seams.

Groups like Scattered Spider have already appeared in insurance intrusions. Erie Insurance confirmed a breach.[1] Google’s threat intelligence has flagged renewed interest in the sector from advanced attackers. Whether the prize is policyholder data, internal pricing models, or access to downstream supply chains, insurance is once again attracting serious attention.

And this time, attackers know exactly where to look. 

 

insurance risk

 

Proof: Targeting is Ramping Up 

The signals are no longer subtle. Over the past 12 months, multiple indicators confirm that the insurance sector is entering another active phase of threat activity.

  • Aflac (June 2025) On June 12, 2025, Aflac detected and halted unauthorized network activity within hours. While no ransomware was deployed, the intrusion may have exposed sensitive data; Social Security numbers (SSNs), health information, and claims data.[2] Investigators link the attack to a “sophisticated cybercrime group” leveraging advanced social engineering consistent with Scattered Spider. Aflac characterized the breach as part of “a cybercrime campaign against the insurance industry”.
  • Erie Insurance (June 2025)
    On June 7, 2025, Erie’s team detected unusual activity on their network, triggering an information-security response that led to a prolonged outage.
    Google TAG flagged this activity as likely tied to Scattered Spider, and although business services were disrupted, Erie Insurance claims there is no evidence of ransomware in the outage.[3]
  • Prudential Insurance (February 2024)
    On February 4, 2024, Prudential reported a data breach via unauthorized network access.[4] Although focused on employee records, it demonstrated how even top-tier insurers remain vulnerable. The intrusion was later claimed by AlphV (BlackCat), a group known for exploiting third-party systems.

Follow the Data: Insurance Breaches Behind Healthcare Impact Spikes

Healthcare Security Breaches

SOURCE: The HIPAA Journal

The chart above shows a clear trend: the largest spikes in healthcare breach impact by individuals affected align with major insurance related-cyberattacks.

  • 2015: The Anthem breach compromised nearly 80 million records. As one of the largest U.S health insurers, its breach caused a sector-wide spike in reported individuals affected.
  • 2024: The Change Healthcare attack impacted up to 190 million individuals. Although framed as a healthcare incident, Change is a claims clearinghouse deeply embedded in the insurance stack, making this one of the largest insurance-adjacent breaches on record.
  • Change Healthcare (February 2024)
    Again in mid-February 2024, AlphV (BlackCat) infiltrated Change Healthcare, UnitedHealth’s claims clearinghouse, compromising 190 million patient and insurance records, disrupting claims processing, and triggering a substantial $22 million ransom.[5]

This attack highlights third-party breaches as cascading risk mechanisms in the insurance space.

 

What It All Means

  1. Timing: Consecutive incidents in 2024 – 2025 show a clear uptick after a quieter period post-CNA.
  2. Tactics: All events link back to compromised credentials, provider portals, multifactor authentication (MFA) fatigue, and help-desk impersonation. Classic third-party exploitation techniques highlighted in CrowdStrike’s Global Threat Report and Mandiant’s M-Trends.
  3. Actors: Advanced groups like Scattered Spider and AlphV are shifting focus to leverage ease-of-access over brute force.

The surge is far from random. It reflects deliberate targeting based on known access vectors and weak governance. And if the pattern holds, as it has in past cycles, insurance will not be the last stop. Other sectors with similar risk conditions may already be in the crosshairs.

 

third party vendor

 

Why Insurance? Third-Party Exposure at Scale 

The insurance sector is not just connected. It’s interdependent. Few industries rely more heavily on third-party entities to operate core business functions. From brokers and third-party administrators (TPAs) to outsourced claims platforms and document processors, insurers function within a vast, loosely governed digital supply chain.

That reliance creates risk, or opportunity, depending on who’s looking.

Each relationship, portal, and shared credential becomes a potential entry point. Workflows like quoting, underwriting, claims submission, and billing often pass through multiple systems and hands, many of which fall outside traditional security oversight. And unlike banking or defense, where third-party governance has matured under regulatory pressure, insurance has historically operated with fewer guardrails.

In practice, that means attackers don’t need to breach an insurer or healthcare provider directly. They can exploit the ecosystem around it.

 

Case in point: The Change Healthcare Breach

In the February 2024 UnitedHealth Group cyberattack, as mentioned earlier, the compromised entity was Change Healthcare, a clearinghouse that connects providers, insurers, and pharmacies across the country. The intrusion disrupted claims processing nationwide and exposed the sensitive data of up to 190 million individuals.

This was not a direct hit on UnitedHealth Group’s infrastructure. It was a breach of a core intermediary. Change Healthcare was compromised by the AlphV/Blackcat ransomware group, and the fallout rippled through the entire insurance and healthcare landscape. The result:

  • Claims processing and payment flows were disrupted nationwide, delaying care and reimbursement
  • Patient data, including insurance and medical records, from an estimated 190 million individuals, were exposed
  • Pharmacies, hospitals, and insurers were all impacted, many without direct relationships to Change.

It was a systemic breakdown. It’s a stark example of how a single third-party failure in an insurance-adjacent system can cause systemic disruption.

 

Tactics in Use: What’s Being Exploited

The tactics now being deployed against insurance look familiar, because they’ve already been tested in other high-value, trust-heavy sectors. But in insurance, they’re often more effective due to the decentralized nature of access, the prevalence of shared credentials, and the wide surface area created by third-party relationships.

MFA fatigue, social engineering, and credential stuffing remain common entry points. But attackers are pairing them with more targeted techniques, especially those that exploit operational trust chains, like impersonating brokers, hijacking inactive accounts, or compromising lightly monitored portals.

These tactics succeed not because they’re novel, but because the insurance sector provides multiple ways in, and few robust mechanisms for verifying who’s really knocking.

 

Common Attack Vectors in Recent Incidents

  • Third-party portal compromise
    Broker and TPA portals are often externally facing, lightly monitored, and reused across partners. Once compromised, they offer a trusted access point that bypasses traditional perimeter defenses.
  • Help desk impersonation
    Threat actors posing as internal users or vendors can bypass MFA protections through social engineering. These tactics have been tied directly to Scattered Spider and other groups targeting insurance and financial services.
  • Credential abuse and MFA fatigue
    Reused passwords and weak MFA implementations, especially those relying on SMS or push approvals, remain soft targets, especially across distributed partners with inconsistent controls.

 

Strategic Targeting Trend

Recent incidents in the insurance sector reveal a shift in attacker behavior: exfiltration over encryption.  In some recent breaches, attackers didn’t encrypt systems; they stole underwriting models, pricing data, and internal actuarial material. This signals a shift from quick hits to a deeper, more strategic exploitation. Attackers are increasingly seeking out customers’ personally identifiable information (PII), financial records, and healthcare information, not just to lock systems, but to leverage stolen data for extended periods.

This isn’t opportunism. It’s operational knowledge of how insurance companies function, and where their digital doors are left open. The tactics work because the structure allows them to.

 

finance

 

What’s Next: Predicting the Next Sectors Based on the Same Risk Model

Insurance isn’t an isolated case. It’s a signal.

The same risk pattern that made insurers an attractive target is clearly visible in other verticals. The combination of high third-party dependence, decentralized access, and minimal oversight creates conditions that threat actors have learned to exploit. And if past targeting cycles are any guide, the next verticals are already in view.

Based on the same risk profile, the sectors most likely to see increased threat activity next include:

  • Legal and Professional Services
    Often deeply embedded in client operations, legal firms and consultancies handle sensitive data and rely on collaborative portals, shared cloud platforms, and external document exchanges. Security maturity varies widely, especially among mid-sized firms.
  • Real Estate and Construction
    These sectors manage large financial transactions, handle personal and contractual data, and coordinate through fragmented third-party networks, including brokers, title services, and development partners. Vendor sprawl is high. Oversight is often informal.
  • Private Equity and Boutique Financial Services
    High-value targets with lean IT operations. Reliance on external partners for fund administration, compliance, and reporting creates exploitable seams similar to what we’ve seen in insurance.

 

This is not just speculative.

Threat intel firms are already tracking reconnaissance and intrusion activity across these verticals. The same groups that pivoted from telecom to retail, and from healthcare to insurance, are beginning to test the edges of legal, real estate, and small-cap financial services.

If the playbook repeats, these sectors aren’t next; they’re already being mapped. The window between reconnaissance and exploitation is shrinking. Just as insurers had time to prepare but didn’t always act, these adjacent sectors may be operating on borrowed time. The question is no longer “if,” but whether the right safeguards are already in place.

 

CISO

 

What CISOs Should Do Now

The shift in targeting is real, and the tactics are already in play. For CISOs in insurance and actors in sectors showing the same risk signals, the window is now to take action.

These aren’t zero-day exploits or obscure APT techniques. The common thread in these breaches is exposed trust; brokers, vendors, clearinghouses, and partners who have access but not accountability.

The most effective actions are structural, not technical.

Priority Actions:

  1. Map Third-Party Access Points
    Inventory who has access to your environment, and what they can do once inside. If it’s not being tracked, it’s not being secured.
  2. Segment and Monitor External Access

Apply least-privilege access controls and strong segmentation for all third-party integrations. Monitor for unusual behavior, especially login patterns that don’t match the role or geography.

  1. Tighten Identify Access Management (IAM) processes, MFA, and Identity Verification (proofing)
    Review third-party access regularly, ensuring access is revoked when no longer required to execute the duties of the contract. Review how MFA is implemented, especially for externally facing portals and legacy integrations. If it’s easy to fatigue or socially engineer, it’s not enough. Ensure your vendors’ people are who they say they are.
  2. Strengthen Help Desk and Broker Verification Protocols

Train support staff to recognize impersonation attempts and enforce multi-layer verification for account resets or credential escalations.

  1. Extend Incident Response to Vendor Paths

Ensure your playbooks include response procedures for breaches through third parties. Most incident responses are still too inward-looking.

  1. Build a Cross-Sector Watchlist
    If you’re in legal, construction, or financial services, assume you’re next. Learn from insurance’s trajectory and proactively assess your own third-party dependencies.
  2. Look Beyond SOC2 When Assessing Vendor Risk
    SOC2 reports may confirm that a vendor has a third-party risk process, but they rarely reveal how well it works in practice, or who your vendor is relying on behind the scenes. Push for visibility into sub-service providers and assess the actual governance around fourth-party dependencies.

Attackers are going where trust outpaces security. Organizations that rely heavily on others to operate and haven’t built controls around those relationships are standing in the open.

It’s not enough to harden the front door if you’ve handed out keys to the side entrance.

 

ABOUT THE RESEARCH

This document was created by a human analyst in collaboration with generative AI.  The final content was developed, reviewed and edited by a human editor to ensure accuracy, originality, and adherence to applicable legal standards.

 

Works Cited

Cimpanu, C. (2025, June 7). Erie Insurance confirms cyberattack behind business disruptions. Retrieved from BleepingComputer: https://www.bleepingcomputer.com/news/security/erie-insurance-confirms-cyberattack-behind-business-disruptions/

CrowdStrike. (2025). 2025 Global Threat Report. Retrieved from CrowdStrike: https://www.crowdstrike.com/en-us/global-threat-report/

Insurance Business America. (2024, April 12). Giant US insurer admits second data hack. Retrieved from Insurance Business America: https://www.insurancebusinessmag.com/us/news/cyber/giant-us-insurer-admits-second-data-hack-483520.aspx

Mandiant. (2025). M-Trends 2025 Report. Retrieved from Mandiant: https://www.mandiant.com/resources/m-trends

O’Brien, S. A. (2024, February 28). Cyberattack on health insurance system is impacting doctors, therapists, and patients. Retrieved from CNN: https://www.cnn.com/2024/02/28/tech/cyberattack-health-insurance-doctors-therapists/index.html

[1] Erie Insurance Information Security Incident

[2] Aflac Incorporated Discloses Cybersecurity Incident

[3] Erie Insurance: ‘No Evidence’ of Ransomware in Outage; TMNA Updates

[4] Giant US insurer admits second data hack

[5] The Biggest Healthcare Data Breaches of 2024

Cybersecurity & Risk News, Updates, Resources

HALOCK Breach Bulletin
Exploit Insider
Cybersecurity Awareness Posters