A public victim post can be a real warning sign, but it is not proof of breach - and that distinction matters when the target handles sensitive insurance data.
A named ransomware group, a named insurance domain, and a feed-level claim are enough to trigger scrutiny, even when the underlying intrusion has not been verified.