PhilHealth negligence eyed in data breach
October 5, 2023 | 12:00am
MANILA, Philippines — The National Privacy Commission (NPC) is investigating if there was negligence in the handling of personal information and security committed by Philippine Health Insurance Corp. (PhilHealth) regarding a recent ransomware attack.
Apart from negligence, the privacy commission is also looking if there is concealment and possible imposition of administrative fines, pending the outcome of its investigation, NPC Public Information and Assistance Division chief Roren Chin said in a Viber message to reporters.
According to her, the administrative fines could reach as much as P5 million.
Chin explained that NPC administrative fines are monetary penalties imposed by the NPC for non-criminal violations of data privacy regulations, and are distinct from the criminal penalties specified in the Data Privacy Act.
“We have identified that certain documents from the video released by Medusa contained personal information, including IDs and photographs,” Chin said.
“Currently, we are actively verifying whether these individuals have any affiliation with PhilHealth, either as employees or members,” she added.
Last week, the NPC said it was notified by PhilHealth regarding the alleged ransomware attack.
“We have issued a Notice to Explain to PhilHealth, seeking comprehensive information regarding the nature and extent of the data breach,” the NPC said last week.
Apart from the notice to explain, the NPC also issued PhilHealth a notice to appear at a hearing scheduled last Sept. 26. It added that this was followed by a Notice of Onsite Investigation on Sept. 28.
“These actions have been initiated to evaluate the impact of the alleged data breach and to assess the mitigation efforts undertaken by PhilHealth, with a primary focus on protecting the interests of the affected beneficiaries and contributors,” the NPC said earlier.
In a statement on Tuesday, PhilHealth said it has actively been reaching out to the public and employees whose information may have been compromised.
The agency also emphasized that the ransomware attack did not affect its servers containing members’ private information.
“PhilHealth’s membership database, claims, contribution and accreditation information which are stored in a separate database are intact and completely unaffected by the cyberattack,” the agency said.
It stressed that only the application servers and employees’ workstations have been affected by the cyber attacks.
“Hence, files stored locally in the hard drive of the infected workstations may have been compromised. An inventory is being conducted in order to determine the extent of information which may have been exfiltrated from these workstations,” it added.
Jeffrey Ian Dy, Information and Communications Technology undersecretary for cybersecurity, connectivity and upskilling, said they had already restarted all of the PhilHealth database systems, especially those of the members’ database, after a security sweep determined that the Medusa attack had only breached around 150 employee workstations.
PhilHealth spokesman Dr. Israel Pargas said six of the affected systems have been restored and only two are currently undergoing restoration.
As of Oct. 3, Pargas said the following applications systems are back – PhilHealth website, member portal, eClaims, HCI Portal, Electronic Premium Remittance System and ePAR (electronic PhilHealth Acknowledgment Receipt) a system being used by PhilHealth and its accredited collecting agents for online transactions, replacing the manual issuance of official receipts.
Dy had earlier bared that the cyber hackers had posted some of the personal data they had stolen on the dark web and had demanded a $300,000 ransom for them to give PhilHealth the key to decrypt the stolen personal information they had encrypted and posted.
According to PhilHealth, an inventory is being conducted in order to determine the extent of information which may have been exfiltrated from workstations.
Apart from the PhilHealth issue, the NPC also reminded the public yesterday to be cautious of the privacy implications brought by the use of the popular artificial intelligence yearbook app.- Mayen Jaymalin
Ano Ba Talaga Kuya?