The National Privacy Commission yesterday said it was looking at the possible liability of the Philippine Health Insurance Corp. (PhilHealth) after hackers began exposing data of the state health insurer on the dark web after failing to get US$300,000 in ransom payment.
“In this case, we’re investigating whether or not there was possible negligence in the processing of personal information,” NPC Complaints and Investigation Division head Michael Santos said in a television interview.
“If that would not amount to negligence, maybe it would amount to possible administrative fines,” Santos said.
On Tuesday, PhilHealth senior vice president and spokesman Israel Pargas said only the identification cards of some of their employees have been leaked online so far after the Medusa ransomware attack on their system.
In a separate interview yesterday, Pargas called on affected PhilHealth employees to change their passwords immediately as their data might be used for illegal online activities, including phishing.
“They can be used to do some criminal acts like phishing. They can create account numbers, or your credit card numbers, they can use your private information that’s why we are also advising our people to change their passwords already in order for them to at least be protected,” Pargas said.
Santos said part of the NPC probe is to examine “whether or not there were appropriate technical, organizational, and physical security measures” to protect PhilHealth’s data system.
PhilHealth on Tuesday insisted the attack did not affect data servers that host members’ information.
“PhilHealth’s membership database, claims, contribution, and accreditation information which are stored in a separate database are intact and completely unaffected by the said cyberattack,” the insurer said in a statement.
Amid the data leak, Gabriela party-list Rep. Arlene Brosas is seeking a congressional investigation into the Sept. 22 Medusa ransomware attack.
“Those hackers could use the personal information of the members to commit identity theft. That’s why it is baffling for PhilHealth to downplay concerns at the onset of the cyber-attack,” Brosas said.
She said the impact of the cyber-attack might be bigger in magnitude amid PhilHealth’s late disclosure of the data breach.
Brosas requested the NPC to furnish the House of Representatives a copy of its findings.
In the Senate, Senator Grace Poe said any cyberattack is unacceptable, especially against government data systems.
“We will await the final report of PhilHealth to guarantee that members’ records are not compromised,” she said.
As this developed, two advocacy groups on data privacy urged the Department of Information and Communications Technology (DICT) and the NPC to prepare Filipino consumers and institutions on the potential impact of the PhilHealth data breach.
“Compared to the Comelec data breach in 2016, the potential impact of this incident is even bigger as all working Filipinos are mandatorily enrolled, and need to pay monthly contributions. We urgently request the DICT and NPC that even if only a fraction of the extent of the breach has been revealed by the threat actors, they can already guide consumers, and institutions that use PhilHealth information on what to do in case their personal information was compromised by the breach,” said Sam Jacoba, president of the National Association of Data Protection Officers of the Philippines (NADPOP), the country’s first advocacy group of Data Protection Officers.
Lito Averia, president of the Philippine Computer Emergency Response Team (PH-CERT), a volunteer organization that assists individuals and institutions on information security issues, said regulators should already anticipate the worst-case scenario.
“PhilHealth, with the help of the DICT, is releasing information on the breach bit by bit. This is actually understandable as the discovery process for external security incidents is complicated, but they can already assume that a significant number of member data was compromised based on their recent statement. Thus, better prepare PhilHealth members for the worst case scenario so they will not be caught off-guard and suffer potential financial loss or be a victim of identity theft,” Averia said.
NADPOP and PH-CERT also offered to provide a third-party perspective and assist PhilHealth in its current breach investigation.