Manila – On Wednesday, the National Privacy Commission (NPC) issued a call to action for banks, hospitals, and telecommunications companies (telcos) to exercise “heightened vigilance” in identifying and preventing fraudulent activities in light of the recent data breach at the Philippine Health Insurance Corporation (PhilHealth).

In its advisory, the NPC cautioned companies functioning as personal information controllers (PIC) and personal information processors (PIP) to be on high alert for counterfeit PhilHealth IDs.

The NPC’s Complaints and Investigation Division determined that a portion of the 650 GB data dump by the Medusa Ransomware Group contained personal and sensitive information of PhilHealth members.

In response to this discovery, the NPC cautioned banks and other financial institutions about the potential misuse of this data for identity theft and financial fraud, including the opening of accounts and conducting transactions using the leaked PhilHealth information.

The advisory stated, “Counterfeit IDs can facilitate money laundering activities within the banking system, potentially exposing banks to legal and regulatory consequences.”

For both public and private hospitals, the data breach could lead to medical fraud and illegal claims of healthcare benefits, as well as unauthorized access to sensitive medical information.

The NPC also alerted telcos that the leaked PhilHealth information could be exploited for SIM registration identity theft.

“Counterfeit IDs may be employed in the registration of SIM cards, allowing malicious actors to engage in criminal activities like fraud, harassment, and scams while maintaining anonymity,” the NPC warned.

Previously, Rey Baleña, the acting vice president of the Corporate Affairs Group at PhilHealth, stated that the investigation into the hacking incident is ongoing, and affected members will be notified. The Department of Information and Communications Technology is currently nearing completion of its analysis. (ai/mnm)

By Junex Doronio

THE PLOT THICKENS, so to speak, as the National Privacy Commission (NPC) on Saturday disclosed that it is investigating the possible violations of the Philippine Health Insurance Corporation (PhilHealth) following a ransomware attack that could have compromised members’ personal data.

The NPC further bared that last October 6, its Complaints and Investigation Division completed its initial analysis of 650-gigabyte (GB) worth of compressed files originating from the data dump claimed by the Medusa group which earlier demanded $300,000 or approximately P17 million from PhilHealth or else they would release the data stolen from its database should the agency fail to pay the shadowy group.

But PhilHealth stressed that it would not pay the demanded ransom.

“This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth’s systems,” the privacy body said in a statement.

It can be recalled that last September 29, PhilHealth announced that its corporate website, member portal, and e-claims were again accessible to the public.

The state health insurer initially said that there was no breach of its members’ data.

But later, PhilHealth admitted that it believes that several types of data were compromised, including name, address, date of birth, sex, phone number, and PhilHealth Identification Number.

With this, the NPC said it has launched a “sua sponte” investigation to “ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law.”

Earlier, the Philippine National Police (PNP) said PhilHealth hackers could face up to 20 years of jail time.

(ai/mnm)