NPC assessing if PhilHealth negligent in ransomware attack

The National Privacy Commission (NPC) is assessing whether the Philippine Health Insurance Corporation (PhilHealth) should be held liable after it was hit by a ransomware attack.

“As for PhilHealth's liability, we are currently assessing whether negligence was involved on their part before making any definitive statements,” NPC Public Information and Assistance Division chief Roren Marie Chin told reporters in response to queries raised in a Viber chat group.

“But in addition to negligence, we are also looking if there is concealment and possible imposition of administrative fines, pending the outcomes of our investigation,” she added.

Based on NPC’s guidelines on administrative fines, the total imposable fine against Personal Information Controllers (PICs) and Personal Information Processors (PIPs) shall not exceed P5 million.

“The specific amount of the penalty will be determined based on the outcome of the investigation. All PICs or PIPs subject to administrative fines will be afforded due process,” Chin said.

“If found liable for admin fines, such will be imposed upon the PIC and/or its responsible personnel/officers. However, please note that there is no specific provision exclusively addressing government fines. The provisions apply to PICs/PIPs in general,” she added.

A Medusa ransomware hit PhilHealth last month, prompting the temporary shutdown of its online systems.

Hackers reportedly threatened to release the data stolen from its database should the agency fail to pay them $300,000 or approximately P17 million.

But PhilHealth stressed that it would not pay a ransom.

On September 29, PhilHealth announced that its corporate website, member portal, and e-claims were again accessible to the public.

On Tuesday, PhilHealth said members’ information, claims, contributions, and accreditation are stored in a separate database and are “intact and completely unaffected” by the cyberattack.

“Only the application servers and employees’ workstations have been affected by the said cyberattack. Hence, files stored locally in the hard drive of the infected workstations may have been compromised,” the state health insurer said.

Chin said the NPC has “identified certain documents containing personal information, including IDs and photographs.”

“Currently, we are actively verifying whether these individuals have any affiliation with PhilHealth, either as employees or members,” she added. — BM, GMA Integrated News