NPC warns public against sharing, copying leaked PhilHealth data
By Justine Irish D. Tabile, Reporter
THE NATIONAL Privacy Commission (NPC) has issued a “critical warning” to the public against any attempt to download and share personal data leaked by hackers following the recent ransomware attack on the Philippine Health Insurance Corp. (PhilHealth).
“It has come to our attention that the personal data exfiltrated from PhilHealth is being shared illicitly,” NPC said in a statement issued on Tuesday.
“We want to emphasize the gravity of this situation and the severe consequences that await anyone involved in processing, downloading, or sharing this data without legitimate purpose or without authorization,” the NPC said.
Under Section 25 of the Data Privacy Act (DPA) of 2012, those found guilty of unauthorized processing of personal information will face penalties that include imprisonment for one to three years and a fine ranging from P500,000 to P2 million.
Meanwhile, unauthorized processing of sensitive personal information carries more substantial penalties that include three to six years imprisonment and a fine ranging from P500,000 to P4 million.
“Sharing such leaked data exposes affected individuals to a range of risks, including identity theft, fraud, extortion, blackmail, and other malicious activities,” the NPC said.
“We urge you, as responsible citizens, to refrain from resharing this data and to promptly report its presence to the relevant authorities, including the NPC and law enforcement agencies,” it added.
The NPC also called on personal information controllers and processors to strengthen their data protection measures.
“Compliance with the DPA and other relevant laws and regulations is not just essential; it is a collective responsibility to protect the rights and privacy of every Filipino,” it said.
In an interview with One Balita Pilipinas on Tuesday, National Bureau of Investigation Cybercrime Division Executive Officer Efren Abantao advised the PhilHealth members to update their online credentials.
“That is why it is better if we will have strong username and password and even better if we will employ two-factor authentication,” Mr. Abantao said in Filipino.
Mr. Abantao also said that the NBI has suggested the change of PhilHealth numbers and employee identification numbers to the concerned agencies noting that it is just right as it is a shared responsibility.
However, he said that although the sharing and download of the data violates the DPA, it will be hard to trace the people involved especially if they will be able to preserve their anonymity.
“It will be hard for us to trace them but there is still the possibility we will be able to trace who downloaded the data,” he added.
In September, PhilHealth was hit by a ransomware attack, in which the hackers demanded $300,000 from the government in exchange for decryption keys.
Last week, the hackers were said to have started publishing personal data including employee records, picture, payroll details, and hospital bills from about 600 gigabytes of data taken from the state health insurance agency.