TOWFIQU BARBHUIYA-UNSPLASH

HEALTH maintenance organization (HMO) Maxicare Healthcare Corp. said on Wednesday that the data breach of its systems on June 13 did not involve sensitive medical information.

In a statement, Maxicare said that the incident, which it described as “alleged unauthorized access” to the personal information of 13,000 members, only represents less than 1% of its membership.

However, it added that the compromised data may include information used for booking requests.

“At this point, what we can confirm is that the business operations, network, and customer data of Maxicare have not been impacted in any way,” Maxicare said.

“Lab@Home maintains a separate database for booking requests, which is not integrated with Maxicare’s system,” it added.

On Tuesday, the National Privacy Commission (NPC) confirmed that it received a report from Maxicare on the data breach through its Data Breach Notification Management System on June 16.

Maxicare said that it is still verifying the extent of the breach and has put up “emergency measures to ensure the privacy and safety” of affected members.

“We launched an investigation together with a team of data security professionals and in partnership with an industry-leading cybersecurity firm,” the company said.

“Our team is fully adhering to all regulatory requirements set by the NPC. We will continue to communicate with our valued members on this matter,” it added.

The data breach at Maxicare was the fourth incident reported by the NPC this month. On June 6, the NPC also reported data breaches at Robinsons Land Corp., the Philippine National Police, and Toyota Motors.

Meanwhile, the regulator said that it has not received any data breach notification from the Maritime Industry Authority (Marina) as of Tuesday afternoon.

In a Facebook post on Monday, Marina reported attacks on four of its web-based systems.

According to the NPC, companies and individuals processing personal data are required to notify affected data subjects individually and report to the regulator within 72 hours of discovering a breach. — Justine Irish D. Tabile