Leaked Philhealth data ‘staggering,’ says NPC | Inquirer News

Leaked Philhealth data ‘staggering,’ says NPC

/ 05:30 AM October 08, 2023

Photo of PhilHealth office in Region XI with a tarpaulin sign carrying the PhilHealth logo iin the background.

Photo from Philhealth Region XI Facebook Page

MANILA, Philippines — A “staggering” amount of files equivalent to more than 730 gigabytes (GB) of data had been leaked from the Philippine Health Insurance Corp. (PhilHealth), the National Privacy Commission (NPC) said on Saturday.

The NPC added that it had launched an investigation seeking those liable for the breach of private information of potentially hundreds of thousands of the state insurer’s beneficiaries.

Article continues after this advertisement

The NPC said it had completed an initial analysis of 650 GB  of compressed files from the data dump claimed by Medusa, a clandestine group that admitted hacking into PhilHealth computers and held the information it stole for a $300,000 (about P17 million) ransom.

FEATURED STORIES

“Upon extraction, these files revealed a staggering 734 GB worth of data, including personal and sensitive personal information,” the NPC said in a statement.

A two-page PhilHealth membership registration form holds about 700 kilobytes of data, meaning that if these were the files that had been leaked, it would be roughly equivalent to over 1 million forms.

Article continues after this advertisement

“In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law,” the NPC said, using the Latin term for voluntary action.

Article continues after this advertisement

In an Oct. 2 notice to the public, PhilHealth said that it believed that the “compromised” data included individual names, addresses, dates of birth, sex, phone numbers, and PhilHealth identification numbers.

Article continues after this advertisement

The NPC noted that the state insurer “implicitly acknowledged a degree of negligence on their part,” citing a statement by an official admitting that the expiration of the antivirus software PhilHealth was using was a potential vulnerability that may have led to the breach.

“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the NPC said.

Article continues after this advertisement

It is uncertain whether the data released by Medusa on the “deep web” was all that it was able to steal.

As of June 2023, PhilHealth had more than 103 million beneficiaries, including members and dependents, who all have personal data kept by the state health insurer.

The government’s privacy monitor said it was still processing the data and had no information yet to share on how many users were affected by a leak of this scale.

The NPC also could not confirm whether businesses with transactions with the state insurer were also compromised.

In light of this, the NPC issued a public warning to those who would try to access or download the leaked information, saying they would be held liable under the law.

“Any individual or organization found to process, download, or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges,” the NPC said in its statement.

The Data Privacy Act of 2021 penalizes the unauthorized processing of personal information and sensitive personal information and giving access to these as a result of negligence.

Unauthorized access carries a penalty of imprisonment ranging from one year to three years and a fine of P500,000 to P2 million.

Providing access due to negligence can lead to prison time ranging from three years to six years and a fine of P500,000 to P4 million.

The improper disposal of personal information and sensitive personal information are also punishable under the law.

Improper disposal of personal data carries a jail time of six months to two years and a fine of P100,000 to P500,000.

Those involved in the improper disposal of sensitive personal information face imprisonment of one year to three years plus a fine of P100,000 to P1 million.

The NPC advised the public to take precautions in the meantime while it was still making a full inventory of the compromised personal information and analyzing the data it had acquired.

Extra caution

It recommended, among others, using strong passwords and multifactor authentication, monitoring accounts, and exercising extra caution when receiving unexpected calls, texts, and emails.

“Ask PhilHealth if your personal information has been compromised and to what extent. Do not click on links from unknown senders,” it added.

It said that it would disclose more information on social media to educate the public on how to protect themselves from those who might take advantage of the data leak.

Two local consumer rights groups expressed concern about the data leak, noting its potential impact on the members of the public who are mandated by law to register with the state insurer.

Rights Action Philippines (RAP) media relations officer Ferdie Ferido told the Inquirer that what happened showed the “systemic weaknesses” in safeguarding the identity of PhilHealth members.

“This could leave the impression to the public that there is no safe place anymore for their important personal information that is kept by the government,” Ferido said.

‘Very alarming’

He said the stolen member data information could be misused by unscrupulous individuals, especially with the rising use of artificial intelligence (AI).

Alliance of Concerned Consumers in the Philippines convenor Ritchie Horario said the leak was “very alarming,” noting that individuals whose sensitive information was leaked are now vulnerable to identity theft, scam, and other illegal acts.

“Our government agencies should strengthen their cybersecurity measures to prevent the leak of vital data and information of their members. They should explore all available means to make sure that the data and personal information of their members are well protected as mandated by the Data Privacy Act,” Horario said.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

Both said that PhilHealth officials must also be held accountable for the data leak. There must be consequences for this fiasco, they said.

TAGS: hacking, National Privacy Commission, PhilHealth online security, Philippine Health Insurance Corp.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.