NPC starts probe into PhilHealth's potential violations in ransomware attack

The National Privacy Commission (NPC) on Saturday said it has begun a probe into the possible violations of the Philippine Health Insurance Corporation (PhilHealth) following a ransomware attack which could have compromised members’ personal data.

In a statement, the NPC said it has initiated an "immediate, proactive investigation” into the potential violations of the Data Privacy Act of 2012 by the state health insurer and its officials, "in an unyielding display of its commitment to safeguarding the privacy and security of personal data.”

"This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth's systems," it said.

The Privacy body said that, on October 6, its Complaints and Investigation Division has completed its initial analysis of 650-gigabyte (GB) worth of compressed files originating from the data dump claimed by the Confucius group.

“Upon extraction, these files revealed a staggering 734 GB worth of data, including personal and sensitive personal information,” the NPC said.

With this, the Privacy body said it has launched a “sua sponte” investigation to “ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law.”

Sought for comment, PhilHealth spokesperson Israel Pargas said, “We are in full cooperation with NPC on the investigation and we shall provide all documentation.”

Early this week, the NPC said it is assessing whether negligence was involved on the part of PhilHealth as well as if there was concealment and possible imposition of administrative fines, pending the outcomes of the investigation.

A Medusa ransomware attack hit PhilHealth last month, prompting the temporary shutdown of its online systems.

Hackers reportedly threatened to release the data stolen from its database should the agency fail to pay them $300,000 or approximately P17 million.

But PhilHealth stressed that it would not pay a ransom.

On September 29, PhilHealth announced that its corporate website, member portal, and e-claims were again accessible to the public.

While PhilHealth initially said that there was no breach of its members’ data, it later said that it believes that several types of data were compromised, including name, address, date of birth, sex, phone number and PhilHealth Identification Number.

“During a recent media interview, PhilHealth implicitly acknowledged a degree of negligence on their part, with one of their officials citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach,” the NPC said.

Moreover, Department of Information and Communications Technology (DICT) Undersecretary Jeffrey Dy confirmed that hackers already began publishing leaked PhilHealth data on the dark web such as employees' payroll and other details such as their regional offices, memos, directives, working files, and hospital bills.

Dy also said the hackers will likely attack the individuals whose data were compromised because they are more prone to extortion.

The DICT official said their analysis showed that there were no remnants of the Medusa malware in the PhilHealth members' database.

“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the Privacy body said.

The NPC, likewise, warned the public that any individual or organization found to process, download, or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges.

“Rest assured, the NPC stands firm in its resolve to combat any actions that contravene the Data Privacy Act of 2012, whether within government or private institutions. We pledge unwavering dedication to enforcing the necessary measures and will be relentless in holding those responsible fully accountable,” it said. —KG, GMA Integrated News