MANILA, Philippines — A “staggering” amount of files equivalent to more than 730 gigabytes (GB) of data had been leaked from the Philippine Health Insurance Corp. (PhilHealth), the National Privacy Commission (NPC) said on Saturday.
The NPC added that it had launched an investigation seeking those liable for the breach of private information of potentially hundreds of thousands of the state insurer’s beneficiaries.
The NPC said it had completed an initial analysis of 650 GB of compressed files from the data dump claimed by Medusa, a clandestine group that admitted hacking into PhilHealth computers and held the information it stole for a $300,000 (about P17 million) ransom.
“Upon extraction, these files revealed a staggering 734 GB worth of data, including personal and sensitive personal information,” the NPC said in a statement.
A two-page PhilHealth membership registration form holds about 700 kilobytes of data, meaning that if these were the files that had been leaked, it would be roughly equivalent to over 1 million forms.
“In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law,” the NPC said, using the Latin term for voluntary action.
In an Oct. 2 notice to the public, PhilHealth said that it believed that the “compromised” data included individual names, addresses, dates of birth, sex, phone numbers, and PhilHealth identification numbers.
The NPC noted that the state insurer “implicitly acknowledged a degree of negligence on their part,” citing a statement by an official admitting that the expiration of the antivirus software PhilHealth was using was a potential vulnerability that may have led to the breach.
“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the NPC said.
It is uncertain whether the data released by Medusa on the “deep web” was all that it was able to steal.
As of June 2023, PhilHealth had more than 103 million beneficiaries, including members and dependents, who all have personal data kept by the state health insurer.
The government’s privacy monitor said it was still processing the data and had no information yet to share on how many users were affected by a leak of this scale.
The NPC also could not confirm whether businesses with transactions with the state insurer were also compromised.
In light of this, the NPC issued a public warning to those who would try to access or download the leaked information, saying they would be held liable under the law.
“Any individual or organization found to process, download, or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges,” the NPC said in its statement.
The Data Privacy Act of 2021 penalizes the unauthorized processing of personal information and sensitive personal information and giving access to these as a result of negligence.
Unauthorized access carries a penalty of imprisonment ranging from one year to three years and a fine of P500,000 to P2 million.
Providing access due to negligence can lead to prison time ranging from three years to six years and a fine of P500,000 to P4 million.
The improper disposal of personal information and sensitive personal information are also punishable under the law.
Improper disposal of personal data carries a jail time of six months to two years and a fine of P100,000 to P500,000.
Those involved in the improper disposal of sensitive personal information face imprisonment of one year to three years plus a fine of P100,000 to P1 million.
The NPC advised the public to take precautions in the meantime while it was still making a full inventory of the compromised personal information and analyzing the data it had acquired.
Extra caution
It recommended, among others, using strong passwords and multifactor authentication, monitoring accounts, and exercising extra caution when receiving unexpected calls, texts, and emails.
“Ask PhilHealth if your personal information has been compromised and to what extent. Do not click on links from unknown senders,” it added.
It said that it would disclose more information on social media to educate the public on how to protect themselves from those who might take advantage of the data leak.
Two local consumer rights groups expressed concern about the data leak, noting its potential impact on the members of the public who are mandated by law to register with the state insurer.
Rights Action Philippines (RAP) media relations officer Ferdie Ferido told the Inquirer that what happened showed the “systemic weaknesses” in safeguarding the identity of PhilHealth members.
“This could leave the impression to the public that there is no safe place anymore for their important personal information that is kept by the government,” Ferido said.
‘Very alarming’
He said the stolen member data information could be misused by unscrupulous individuals, especially with the rising use of artificial intelligence (AI).
Alliance of Concerned Consumers in the Philippines convenor Ritchie Horario said the leak was “very alarming,” noting that individuals whose sensitive information was leaked are now vulnerable to identity theft, scam, and other illegal acts.
“Our government agencies should strengthen their cybersecurity measures to prevent the leak of vital data and information of their members. They should explore all available means to make sure that the data and personal information of their members are well protected as mandated by the Data Privacy Act,” Horario said.
Both said that PhilHealth officials must also be held accountable for the data leak. There must be consequences for this fiasco, they said.