MANILA, Philippines – The House appropriations committee has ordered the Philippine Health Insurance Corporation (Philhealth) to submit a status report on the data leak after some of the agency’s workstations were hacked in September last year.

Lawmakers earlier learned at least 42 million Filipinos were exposed by the breach. During a hearing of the House panel on Monday, July 8, the National Privacy Commission (NPC) bared that the hacking incident in September 2023 affected records of senior citizens, rebel returnees, and indigent Filipinos. 

“There were 181 million records that were dumped [by the hackers] and we have downloaded them but there were duplicate records…as of now we’re cleaning 42 million records,” NPC Director IV Maria Theresita Patula told the panel. 

Some of the state insurer’s laptops were hacked on September 22, 2023. Philhealth’s antivirus software expired around April 15 to May 15, 2023, and procurement for a new subscription was apparently delayed. 

The hackers, which used Medusa ransomware, conducted a global attack and were not targeting a specific sector. 

Hackers initially asked the Philippine government for ransom amounting to $300,000 (around P17 million), but the government refused to pay. They started publishing the breached data on October 3. 

These included patient medical records, billing file with member records, Payapa at Masaganang Pamayanan (PAMANA) program documents, indigent billing records, and details of those killed in action or through police operation. 

While the NPC put up a search portal to help Philhealth members identify whether their data had been leaked, Patula said that Philhealth still had the responsibility to notify its members within 72 hours after the data breach. 

Philheath should have also briefed its members on:

• How the data was breached
• What personal data could have been accessed
• Possible risks members may face (i.e. identity theft)
• How to protect themselves from risks 

The state insurer said they tried to inform their members. 

“We implemented measures to inform the data subjects affected,” Philhealth Executive Vice President Eli Santos told the panel. “We complied with the rules of the Data Privacy Act.”

However, when lawmakers pressed for more information, Santos admitted he was not privy to how the agency was reaching out to affected members as it was the Information Security Office of Philhealth that was in charge. 

The House panel gave Philhealth until Wednesday, July 10, to submit a status report and until Friday, July 12, to inform lawmakers about their plans moving forward. – Rappler.com