MANILA, Philippines — The National Privacy Commission (NPC) on Tuesday said it received a data breach notification from Maxicare Healthcare Corp. over the weekend, raising concerns about the personal records of nearly two million members of the well-known health maintenance organization (HMO).
The NPC said it received the notice on June 16 through its Data Breach Notification Management System (DBNMS), but disclosed no further details about the incident.
On the same day, an online firm dedicated to monitoring and publishing data leaks posted about the alleged data breach carried purportedly by a threat actor known as “OPCODE-90.”
READ: Toyota PH, Robinsons Land hit by data breach
“The compromised file, sized at 33.3 megabytes, contains over 22,800 lines of sensitive information and is reportedly being sold to the first three buyers,” the cybersecurity company Deep Web Konek said in a Facebook post.
Leaked info
It said the leaked data exposed detailed personal and booking information, which included first names, middle names, last names, units or vendors, companies, emails, and Go Rewards codes.
Member-specific information such as full names, company identifications, 16-digit Maxicare card numbers, corporate code, account type, date of birth, sex, mobile numbers, email addresses, and VIP statuses was also part of the leak.
According to its website, Maxicare has 1.8 million members, with 18 Maxicare primary care clinics, one wellness rehabilitation center, and two Maxicare wings in major hospitals.
It said that it also has more than 20,000 affiliated doctors and specialists, and is linked with over 1,300 hospitals and clinics, 700 dental clinics, as well as 140 rehabilitation, dialysis, and eye centers.
This latest data leak followed a string of similar cyber incidents happening within weeks of the same attack on automotive giant Toyota Motor Corp. and leading property developer Robinsons Land Corp. (RLC).
The NPC had said that it received the data breach notification from Toyota last May 14, while the RLC of the Gokongwei family informed them on June 6.
72 hours to report
Aside from these data breaches, the NPC also said that the Philippine National Police reported six data breach notifications in May, but has not received any breach report from membership shopping firm S&R despite social media posts of a possible cyberattack.
The government’s data privacy watchdog has yet to come out with a report on the depth and scale of the data breaches it received.
Companies and individuals processing personal data must notify affected data subjects individually and report to the NPC through its DBNMS within 72 hours of discovering a breach.
“The NPC takes all allegations of data breaches very seriously and is actively monitoring the situation to ensure the security and privacy of all concerned data subjects,” it noted, encouraging those who believe they may be part of any breach to contact the data protection officers of the companies involved and report the incident to the NPC.