2023 PhilHealth data breach affected 42M individuals — NPC

The September 2023 data breach on state-run Philippine Health Insurance Corporation (PHIC) has affected P42 million individuals, the National Privacy Commission (NPC) said Monday.

Director 4 and lawyer Maria Theresita Patula made the response upon the questioning of House appropriations panel senior vice chairperson Stella Quimbo of Marikina City.

“As of now, there are 42 million records [of individuals], Madam Chair,” Patula said asked by Quimbo how many PhilHealth members were affected by the data breach.

“These include patient medical records, billing files with PhilHealth member record, PhilHealth member record of rebel returnees under the government’s Pamana (Payapa at Masaganang Pamayanan) program, indigent billing records, records of those killed in action and senior citizens,” Patulad added.

Quimbo was astonished by the number, saying it is quite concerning and proceeded to ask if the 42 million individuals have been informed that their personal data had been leaked.

“That’s a significant portion. Nakakabahala ito [This is disturbing]. Does PhilHealth have a liability on this?” Quimbo said.

Patula said the NPC is already conducting a hearing on the matter, and that PhilHealth is expected to submit a response within 15 days from July 4 clarification hearing.

“After that, the NPC will resolve the case [and see if] there is possible violation of the Data Privacy Act,” Patula added.

Patula, however, noted that under the Data Privacy Act, PhilHealth has the mandate to inform its members affected by the data breach within 72 hours of such occurrence.

“They (PhilHealth) should inform the affected data subjects of how the breach happened, what possible risk they are exposed to such as identity theft, and how they can protect themselves from the risks,” Patula said.

Quimbo then proceeded to question PhilHealth Chief Operating Officer Eli Santos if PhilHealth has been able to inform its 42 million members of the said data breach.

Santos responded by saying that PhilHealth’s Information Security Office is implementing measures to address the data breach, but Quimbo interrupted him and pressed to ask how many of the 42 million PhilHealth members have been already informed of the data breach.

“How many of them already know of the breach? Ang sagot lang ang [The answer here is] yes or no. Have they been informed and told of precautionary steps to take? An information drive so they can protect themselves?” Quimbo said.

Santos responded by saying “No, Madam chairperson.”

This prompted Quimbo to require Santos to submit a status report on the data breach, including how many of the 42 million affected have been informed, at the soonest possible time.

“This is a very, very serious matter. You need to submit this at the soonest possible time. You need to submit this by Wednesday, and by Friday, a report on how do you intend to comply [with your mandate of informing them.”

Santos, in response, said “we will comply at the soonest possible time.” — RSJ, GMA Integrated News