Two data privacy advocacy groups are urging the Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) to warn and prepare Filipino consumers and institutions that received PhilHealth member information for services.
The concern is about the potential consequences of the PhilHealth data breach, which involved a Medusa malware attack discovered on September 22.
PhilHealth, on October 2, said some user data such as names, addresses, sex, date of birth, phone number, and PhilHealth identification numbers have been compromised.
Both the DICT and PhilHealth claim that the members’ database—which contains their claims, contribution, and accreditation information—remains “intact” as it was not part of the servers affected by the Medusa ransomware attack.
“Compared to the Comelec data breach in 2016, the potential impact of this incident is even bigger as all working Filipinos are mandatorily enrolled, and need to pay monthly contributions,” said Sam Jacoba, President of the National Association of Data Protection Officers of the Philippines (NADPOP), the Philippines’ first advocacy group of Data Protection Officers.
“We urgently request the DICT and NPC that even if only a fraction of the extent of the breach has been revealed by the threat actors, they can already guide consumers, and institutions that use PhilHealth information on what to do in case their personal information was compromised by the breach,” Jacoba added.
Lito Averia, President of the Philippine Computer Emergency Response Team (PH-CERT), agrees, saying that the regulators should already anticipate the worst case scenario as it is better to warn Filipino consumers as soon as possible as the threat actors can already exploit the illegally accessed personal information.
NADPOP and PH-CERT also offered to provide a third-party perspective and assist PhilHealth in its current breach investigation with the DICT and NPC.
“If PhilHealth needs unbiased third-party support, we have volunteers who are ready to assist in digital forensics and in the data breach management needs of the agency,” Jacoba and Averia jointly offered.
“We are extending our support to PhilHealth and its impacted employees and members during this time as we know the value of all of us helping each other during these times. It takes a community to protect personal information,” they added.
On October 25 to 27, in support of Cybersecurity Month, the two groups will host an online conference on Governance, Risk and Compliance (GRC) that will elevate the knowledge and skills of Data Protection Officers (DPOs) and Cybersecurity Professionals in fighting against internal and external threat actors.
.jpg)
-x-250px(H)-copy (1).png)
