The data from the Philippine Health Insurance Corp. (PhilHealth) leaked by hackers in the dark web was being “shared illicitly,” reports received by the country’s privacy watchdog showed.
The National Privacy Commission on Tuesday issued a “critical warning” to individuals or groups against spreading the leaked personal data following the Medusa ransomware attack on PhilHealth systems.
“It has come to our attention that the personal data exfiltrated from PhilHealth is being shared illicitly. We want to emphasize the gravity of this situation and the severe consequences that await anyone involved in processing, downloading, or sharing this data without legitimate purpose or without authorization,” the commission said.
The NPC said under Section 25 of the Data Privacy Act, penalties for sharing illicit data range from P500,000 to P4 million, with jail terms of up to six years.
The NPC said sharing the leaked data exposes further affected individuals to a range of risks, including identity theft, fraud, extortion, blackmail, and other malicious activities.
Affected individuals may file a complaint before the NPC, and can claim damages if proven that their personal data was compromised and processed illicitly.
“We urge you, as responsible citizens, to refrain from resharing this data and to promptly report its presence to the relevant authorities, including the NPC and law enforcement agencies,” the NPC added.
It also called on personal information controllers and processors to strengthen data protection measures.
The Department of Information and Communications Technology on Monday said millions of PhilHealth members have been affected by the cyberattack.
“Unfortunately, it’s significant. It’s not the entire database, but it’s still significant,” DICT Usec. Jeffrey Dy said.
The illegally obtained data amounted to around 700 gigabytes or over 420,000 files, the DICT said.
While PhilHealth’s public-facing platforms are back to normal, investigators are still determining the origin of the attack as well as possible liabilities of PhilHealth personnel.
“We are looking at the possible gaps in security that led to this hacking. We’re looking at the responsibilities of every official, every department, to see if there was negligence,” NPC Complaints and Investigation Division Chief Michael Santos said.