NPC launches probe on PhilHealth breach More than 10 hacked external systems restored  

MANILA, Philippines — The National Privacy Commission (NPC) has launched an investigation to ascertain the full scope of the data breach involved in the Philippine Health Insurance Corp. (PhilHealth) ransomware attack, as it discovers over 700 gigabytes (GB) extracted from a data dump claimed to be from the Medusa hacker group.

In a statement over the weekend, the NPC said its complaints and investigation division on Oct. 6 completed its initial analysis of 650 GB worth of compressed files originating from the data dump claimed by Medusa.

Upon extraction, these files revealed a staggering 734 GB worth of data, including sensitive personal information, according to the NPC.

“In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials and recommend legal prosecution to the fullest extent permissible by law,” the NPC said.

In a viber message to reporters, NPC public information and assistance division chief Roren Chin said the investigation team lead by its chief, Michael Santos, are in the process of conducting a full inventory of the number of compromised personal information.

She added that it might take several days to peruse the entire 734 GB of data.

“We endeavor to complete our investigation in the soonest time possible without compromising thoroughness, depending also on the additional information that may come to light in the course of the investigation,” Chin said.

The NPC said it has initiated an immediate, proactive investigation into PhilHealth’s potential violations of the Data Privacy Act of 2012.

“This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth’s systems,” the NPC said.

The privacy commission cited recent media interviews where PhilHealth implicitly acknowledged a degree of negligence on their part, with one of their officials citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach.

“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the privacy commission said.

“In unequivocal terms, the NPC issues a stern warning to the public: Any individual or organization found to process, download or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges,” it added.

The commission stressed that it stands firm in its resolve to combat any actions that contravene the Data Privacy Act of 2012, whether within government or private institutions.

“We pledge unwavering dedication to enforcing the necessary measures and will be relentless in holding those responsible fully accountable,” the NPC said.

Asked on what advice it can give to PhilHealth members to protect themselves after the said data breach, Chin suggested the use of strong password and multi-factor authentication. if available.

She also suggested that members monitor their accounts; be extra cautious of unexpected calls/texts/ emails and ask PhilHealth if your personal information has been compromised and to what extent. She also reminded members not to click on links from unknown senders.

“We will be sharing a series of information materials via our social media pages to educate the data subjects on how to protect themselves,” Chin said.

External systems

More than 10 of PhilHealth’s external systems that were affected by the Medusa ransomware attack are now up and running, said Israel Francis Pargas, senior vice president of the state health insurer’s finance and policy sector.

Pargas confirmed that the e-group; point of service (social welfare assistance in health care institution or HCI); electronic PhilHealth online access form (user account request for employers) and iCares (PhilHealth cares) systems have all been restored.

At the same time, the PhilHealth portal (for local government units); health care providers or HCP portal (doctors); electronic collection reporting system or ECRs (banks’ non-electronic PhilHealth acknowledgement receipt) and all case rates or ACR systems are also up.

Earlier, PhilHealth announced that its website, members portal, e-claims system, electronic payment system and health care institution portal are already working.

“These are all frontline external systems. There are also minor systems that have already been fixed,” said Pargas.

He gave assurance that the agency is adopting measures to improve its systems, such as procuring additional layers of cybersecurity, among others.

Earlier, PhilHealth said it is set to procure and install additional cyber security systems to prevent a repeat of the hacking incident that affected its operations more than a week ago.

PhilHealth executive vice president and chief operating officer Eli Dino Santos said PhilHealth is already taking concrete actions to fortify its defenses against future cyber security threats.

Santos said a budget has already been allocated for the purchase of additional security equipment.

“We already procured items but there are still items that should be purchased – these are items that cover cyber security and information security,” the official added. – Jose Rodel Clapano, Rhodina Villanueva