PhilHealth: 42-M victims of data leak not yet notified of hacking’s extent
MANILA, Philippines — The Philippine Health Insurance Corporation (PhilHealth) has admitted that the over 42 million members whose data were compromised in a hacking incident last September 2022 have not been notified yet about the breach’s extent.
During the hearing of the House of Representatives committee on appropriations on Monday, Marikina 2nd District Rep. Stella Quimbo asked PhilHealth executive vice president Eli Dino Santos if the state-run insurer has followed the steps indicated by the National Privacy Commission (NPC).
NPC Director IV Maria Theresita Patula who was present in the hearing said that under the Data Privacy Law, PhilHealth has the obligation to accomplish and explain the following:
- Affected individuals should be notified within 72 hours
- What data was breached
- How the breach was committed, and possible risks that affected individuals will be exposed to
- How to protect themselves
“Okay, Attorney Santos, what is our plan for the 42 million individuals whose information is out there, that can be accessed by anyone at this point? Is that right, is that the situation? That the records compromised can be accessed?” Quimbo asked.
“That’s the situation, Attorney Eli, right? They do not know, at the very least, they should know so that they can protect themselves. Right? That’s what should have happened,” she added.
“Yes, Madam Chair, it’s PhilHealth’s primary responsibility to inform the affected data subjects, Madam Chair,” Patula replied.
Article continues after this advertisementSantos initially said that they complied with the Data Privacy Act, but when Quimbo pressed him further, asking how many individuals had been notified, Santos eventually admitted no one was notified.
Article continues after this advertisement“See, that’s your specific responsibility, Attorney Eli. The only answer is yes or no. Do the 42 million affected individuals know that their data was compromised? And therefore, they must take the following precautions?” Quimbo said.
“Madam Chairperson, through the Information Security Office, we have implemented measures to attempt,” Santos said.
“No sir, it’s a very specific question eh. Yes or no lang? Forty-two million eh, there are 42 million individuals affected. Do they know the four pieces of information that they should know? Yes or no lang po?” Quimbo asked again.
“As to the individuals, Madam Chairperson, no,” Santos admitted.
Patula said that there were 181 million records that were compromised during the data leak, but many of these were duplicate entries — noting that they have narrowed this down to 42 million individuals.
As of now, the NPC created a site where PhilHealth members can enter their 12-digit numbers (without dashes) to check if their data was part of those leaked in the hacking incident. Visit the site by clicking here.
The Department of Information and Communications Technology (DICT) information system analyst Alwell Mulsid meanwhile said that PhilHealth’s system is currently protected, as the department’s National Computer Emergency Response Team has provided a backup anti-virus system.
Santos confirmed that they have obtained the software from DICT, adding that while attacks are ongoing, the data has been protected, and functions of the PhilHealth website are available.
“At present, Madam Chairperson, I was informed that on a daily basis, PhilHealth is experiencing attempts on hacking, Madam Chairperson, but the current system that is in place now prevents such attacks from happening again, Madam Chairperson. And again, thank you to DICT, Madam Chairperson,” Santos noted.
NPC and cybersecurity experts have described the PhilHealth data leak as staggering, as initial assessments revealed that over 730 gigabytes of data have been compromised.
READ: Leaked Philhealth data ‘staggering,’ says NPC
Patula said that they were able to find data like patient medical records, billings filed with member records, member records of rebel returnees, indigents’ billing records, and those killed-in-action or killed-in-police operations.
READ: PhilHealth: Some members’ data compromised by system breach
PhilHealth then blamed the hacking on procurement rules, as the law supposedly barred them from beefing up their cyber defense capabilities.