The National Privacy Commission (NPC) has started an immediate and proactive probe into the possible violations of the Philippine Health Insurance Corporation (PhilHealth) in the Data Privacy Act of 2012.
“This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth’s systems,” NPC said in its statement on Saturday, Oct. 7.
According to the data privacy body, its Complaints and Investigation Division analyzed 650 gigabyte (gb) files that originated from the data dump obtained by the Medusa group.
NPC said it extracted 734 gb worth of data which included personal and sensitive personal information.
“In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law,” ita dded.
NPC also recalled PhilHealth acknowledging its negligence over the cyberattack, citing the expiration of its antivirus software that possibly led to potential vulnerability that permeated in the state insurer’s online systems.
“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the data privacy body said.
A group informing people of data breach earlier released a photo showing the PhilHealth members’ data being circulated on messaging application like Telegram and on the deep web.
Meanwhile, PhilHealth announced its readiness to cooperate on NPC’s probe and further inquiry regarding the data breach.
“Bilang responsable sa mga impormasyon ng ating mga miyembro, nakahanda po kaming makipagtulungan sa mga imbestigasyon para lalong mapabuti ang cyber security system. Makakaasa po ang publiko na may malaking kabutihang dulo ang pangyayaring ito para maging mas mabuti ang ating serbisyo sa miyembro,” PhilHealth president Emmanuel Ledesma Jr. said.