cdn mobile

42-M PhilHealth data breach victims not yet notified of hacking’s extent

By: Gabriel Pabico Lalu - Inquirer.net | July 09,2024 - 06:30 AM

data breachMANILA, Philippines — More than 42 million members of the Philippine Health Insurance Corporation (PhilHealth), whose data were compromised in a hacking incident last September 2022, have not yet been notified about the extent of the breach.

During the hearing of the House of Representatives committee on appropriations on Monday, Marikina 2nd District Rep. Stella Quimbo asked PhilHealth executive vice president Eli Dino Santos if the state-run insurer has followed the steps indicated by the National Privacy Commission (NPC).

NPC Director IV Maria Theresita Patula who was present in the hearing said that under the Data Privacy Law, PhilHealth has the obligation to accomplish and explain the following:

  • Affected individuals should be notified within 72 hours
  • What data was breached
  • How the breach was committed, and possible risks that affected individuals will be exposed to
  • How to protect themselves

“Okay, Attorney Santos, what is our plan for the 42 million individuals whose information is out there, that can be accessed by anyone at this point?  Is that right, is that the situation?  That the records compromised can be accessed?” Quimbo asked.

“That’s the situation, Attorney Eli, right?  They do not know, at the very least, they should know so that they can protect themselves.  Right?  That’s what should have happened,” she added.

“Yes, Madam Chair, it’s PhilHealth’s primary responsibility to inform the affected data subjects, Madam Chair,” Patula replied.

Santos initially said that they complied with the Data Privacy Act, but when Quimbo pressed him further, asking how many individuals had been notified, Santos eventually admitted no one was notified.

“See, that’s your specific responsibility, Attorney Eli.  The only answer is yes or no.  Do the 42 million affected individuals know that their data was compromised?  And therefore, they must take the following precautions?” Quimbo said.

“Madam Chairperson, through the Information Security Office, we have implemented measures to attempt,” Santos said.

“No sir, it’s a very specific question eh. Yes or no lang? Forty-two million eh, there are 42 million individuals affected.  Do they know the four pieces of information that they should know?  Yes or no lang po?” Quimbo asked again.

“As to the individuals, Madam Chairperson, no,” Santos admitted.

Patula said that there were 181 million records that were compromised during the data leak, but many of these were duplicate entries — noting that they have narrowed this down to 42 million individuals.

As of now, the NPC created a site where PhilHealth members can enter their 12-digit numbers (without dashes) to check if their data was part of those leaked in the hacking incident. Visit the site by clicking here.

NPC officer Reginald Francisco meanwhile said that PhilHealth’s system is currently protected, as the Department of Information And Communications Technology (DICT) National Computer Emergency Response Team has provided a backup anti-virus system.

Santos confirmed that they have obtained the software from DICT, adding that while attacks are ongoing, the data has been protected, and functions of the PhilHealth website are available.

“At present, Madam Chairperson, I was informed that on a daily basis, PhilHealth is experiencing attempts on hacking, Madam Chairperson, but the current system that is in place now prevents such attacks from happening again, Madam Chairperson.  And again, thank you to DICT, Madam Chairperson,” Santos noted.

NPC and cybersecurity experts have described the PhilHealth data leak as staggering, as initial assessments revealed that over 730 gigabytes of data have been compromised.

READ:  Leaked Philhealth data ‘staggering,’ says NPC

Patula said that they were able to find data like patient medical records, billings filed with member records, member records of rebel returnees, indigents’ billing records, and those killed-in-action or killed-in-police operations.

PhilHealth then blamed the hacking on procurement rules, as the law supposedly barred them from beefing up their cyber defense capabilities.

RELATED STORIES

PhilHealth: Some members’ data compromised by system breach

PhilHealth accredits 12 birthing centers in Cebu City

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

Read Next

Disclaimer: The comments uploaded on this site do not necessarily represent or reflect the views of management and owner of Cebudailynews. We reserve the right to exclude comments that we deem to be inconsistent with our editorial standards.

TAGS: House of Representatives, Philhealth data leaked
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.