Maxicare Healthcare Corporation, a health maintenance organization (HMO) player in the Philippines, released a data privacy advisory on an alleged unauthorized access to the personal information of its members who used the booking platform of its third-party Homecare provider, Lab@Home.
The HMO firm says that the potential breach affected an estimate of 13,000 members, or less than 1% of its member population.
While Maxicare has confirmed that no sensitive medical information was exposed and that the company’s operations and network have not been impacted in any way, input data used for the booking requests may be compromised should the security incident prove to be true.
The healthcare provider says this is because its system is not integrated with Lab@Home’s, and that the booking requests are maintained in a separate database.
As an emergency measure to ensure the privacy of its members, Maxicare launched an investigation with an undisclosed cybersecurity company in full adherence to regulatory requirements by the National Privacy Commission.
Maxicare had already been alerted of this potential security incident on June 13, four (4) days after its website was temporarily down to undergo a systems upgrade.
On June 18, the National Privacy Commission confirmed that Maxicare has already filed a report regarding the data breach via its Data Breach Notification Management System on June 16.
The attack is being claimed by a user named ‘DaikaijuNo1’ in a hacking forum who claims to have used data scraping as the method of exploit.
Scraping is usually employed by threat actors to collect intel on companies before using more sophisticated attacks, or using the scraped data to customize the attack and exploit vulnerabilities that are specific to the target company.
To support this claim, the hacker posted sample data of a cybersecurity company employee’s personal identifiable information, a list of all companies whose member data have been exposed, and uploaded a file containing the data of all affected users which is being sold only to the first three (3) buyers.
As of writing, the hacker is still selling copies of the information to interested buyers.