NPC: PhilHealth hacking victims can file complaint

MANILA, Philippines — Individuals who had their personal data stolen in the Medusa ransomware attack on the Philippine Health Insurance Corp. (PhilHealth) can file a complaint before the National Privacy Commission.

NPC Public Information and Assistance Division chief Roren Marie Chin said people who think their personal data had been compromised in the successful ransomware attack on PhilHealth can file their individual complaint before the commission.

“Individuals affected may file a complaint to NPC and if proven, they can claim damages,” Chin said.

She added their investigation of the complaint would determine the damage claims that can be awarded.

Don’t reshare data

The NPC has also issued a warning against the resharing of leaked data from the PhilHealth ransomware attack.

“It has come to our attention that the personal data exfiltrated from PhilHealth is being shared illicitly. We want to emphasize the gravity of this situation and the severe consequences that await anyone involved in processing, downloading or sharing this data without legitimate purpose or without authorization,” the NPC said in a statement yesterday.

“In unequivocal terms, the NPC issues a stern warning to the public: Any individual or organization found to process, download or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges,” it stated.

The Privacy Commission emphasized that under Section 25 of the Data Privacy Act of 2012 (DPA), those found guilty of unauthorized processing of personal information will face penalties that include imprisonment for one to three years and a fine ranging from P500,000 to P2 million.

In addition, unauthorized processing of sensitive personal information carries even more substantial penalties, particularly imprisonment for three to six years and a fine ranging from P500,000 to P4 million.

“Sharing such leaked data exposes affected individuals to a range of risks, including identity theft, fraud, extortion, blackmail and other malicious activities. We urge you, as responsible citizens, to refrain from resharing this data and to promptly report its presence to the relevant authorities, including the NPC and law enforcement agencies,” the NPC said.

“We also call upon personal information controllers and processors to strengthen their data protection measures. Compliance with the DPA and other relevant laws and regulations is not just essential; it is a collective responsibility to protect the rights and privacy of every Filipino,” it added. — Catherine Talavera