THE National Privacy Commission (NPC) said it has documented data breaches involving 154 persons during the coronavirus disease 2019 (COVID-19) pandemic, including patient names and addresses as well as the disclosure of persons subject to quarantine.

In a statement, the NPC is assessing the data breaches and has asked health providers to fir up their personal data protections.

The regulator said it received 17 notifications relating to the unauthorized disclosure of the personal information of suspected and confirmed COVID-19 patients.

The data breaches include online posts and messages listing patient names and addresses, an emergency room admission sheet, a photo of a death certificate, and diagnostic results, the NPC said in a mobile message to reporters Saturday.

Other data breaches include the sharing of lists of names of quarantined doctors, passengers of a flight allegedly carrying COVID-19 patients, and employees of a nonprofit organization that have been in recent contact with a COVID-19 patient.

“With a view to preventing similar instances of unauthorized disclosure from happening, we call on health institutions and their Data Protection Officers (DPOs) to strengthen the protection of patient data,” NPC said.

NPC said that patients will only fully disclose information to authorities if they are assured that the information is protected against unauthorized disclosure.

The government requires individuals who have tested positive for COVID-19 to declare personal information to the health department. Cabinet Secretary Karlo Alexei B. Nograles, spokesperson of the Inter-Agency Task Force for Emerging Infectious Diseases (IATF-EID), said such information would enhance contact tracing efforts.

Unauthorized disclosure of patient data is prohibited under the Data Privacy Act of 2012.

Privacy Commissioner Raymund E. Liboro said that health institutions must regularly remind staff of their duty to protect data, adding that access to data should be limited to a “need-to-know” basis.

“This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.”

Mr. Liboro said health facilities should have data-access controls such as locks and alarms. He said that patient data should only be disclosed with proper authorities, and that health staff should avoid discussing patient information in public areas unless they are providing treatment under compelling circumstances.

Computer displays, he said, should be protected from accidental viewing. Portable storage media such as USB flash drives should be password protected.

He also said that patient data should be encrypted.

“Electronic copies of patient data must be protected to the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons,” he said.

Mr. Liboro said that health staff should communicate online using secure platforms.

“For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.” — Jenina P. Ibañez