The House appropriations committee has requested the Philippine Health Insurance Corporation (PhilHealth) to provide a detailed report on the data breach incident from September last year, which exposed the personal information of 42 million people.
During a hearing on July 8, the National Privacy Commission (NPC) revealed that the breach impacted records of senior citizens, rebel returnees, and indigent Filipinos.
NPC Director IV Maria Theresita Patula informed the committee that hackers had dumped 181 million records, with 42 million unique records currently being cleaned.
“There were 181 million records that were dumped [by the hackers], and we have downloaded them but there were duplicate records… as of now we’re cleaning 42 million records,” she said, as reported by Rappler.
The breach occurred on Sept. 22, 2023, when PhilHealth’s workstations were compromised.
The agency’s antivirus software had expired between April 15 and May 15, 2023, and there was a delay in procuring a new subscription, which contributed to the vulnerability.
Stolen data from PhilHealth has appeared on the dark web after the government declined to meet ransom demands made by hackers.
Preliminary investigations have shown that the leaked information includes identification cards of PhilHealth employees, such as Government Service Insurance System (GSIS) IDs.
Department of Information and Communications Technology (DICT) Undersecretary Jeffrey Dy reported finding copies of employee payrolls, regional office memos, directives, working files, and hospital bills on the dark web.
“In terms of PII (personal identifiable information), we saw some IDs, pictures, which we cannot ascertain at the moment if they are PhilHealth employees, or members,” he said.
The DICT previously reported that cybercriminals had demanded US$300,000 (approximately PHP17 million) for decryption keys and to prevent further dissemination of the stolen data.
Both the DICT and PhilHealth have said that the main members’ database, which contains sensitive information such as claims, contributions, and accreditation details, was not part of the affected servers targeted by the Medusa ransomware attack.
However, authorities have clarified that this does not guarantee that hackers did not access members’ information, as some of the same details might have been on other compromised servers.
