DATA BREACH | PhilHealth says ransomware didn’t affect members’ database, advises continued vigilance

October 4, 2023 , 10:19 AM

(October 4, 2023) – The Philippine Health Insurance Corporation (PhilHealth) on Tuesday said the ransomware attack on its system only affected servers and workstations of employees and not the main database containing private information about its members.

According to PhilHealth, the information about claims, contributions, and accreditations are stored in a separate database “completely unaffected by the cyberattack.”

“Files stored locally in the hard drive of the infected workstations may have been compromised. An inventory is being conducted in order to determine the extent of information which may have been exfiltrated from these workstations,” said PhilHealth.

#MyPhilHealth reiterates that its membership database is intact and unharmed by the cyberattack last Sept 22.

The Corporation urges the public to be cautious in opening malicious contents online and on social media. It is working with the authorities to catch the perpetrators. pic.twitter.com/bvxgBsJ7Q9

— PhilHealth (@teamphilhealth) October 3, 2023

In an earlier notice, the state health insurer claimed that the name, address, date of birth, sex, phone number, and PhilHealth identification number of data subjects may have been compromised, but the extent of the breach has yet to be determined.

“We are working to notify all affected individuals directly. If you have not received a notification from us, you may have not been affected,” wrote PhilHealth in its urgent notice, advising the people to monitor their credit reports for any unauthorized activity resulting from the Medusa Ransomware.

Other government agencies like the Department of Information and Communications Technology (DICT), the National Privacy Commission, and the National Bureau of Investigation are also working with PhilHealth to address the matter.

#MyPhilHealth reiterates that its primary database is intact following the cyberattack last Sept 22. It is working with various gov’t agencies to bring the culprits to justice.https://t.co/Vm1AgUCPVC https://t.co/YPB21Rbvq8 pic.twitter.com/94GUtMRoWK

— PhilHealth (@teamphilhealth) October 2, 2023

In an interview, DICT undersecretary Jeffrey Dy confirmed that the hackers have started exposing data on the dark web after the government refused to pay the ransom worth $300,000 or around P17 million.

Identification cards were leaked, according to Dy, but he clarified that they are still ascertaining if those are owned by employees or members of PhilHealth.

“Karamihan talaga rito ay office files, mga memo, like I said, payroll. Ang majority talagang tinamaan ay mga empleyado ng PhilHealth,” said Dy, noting that the hackers took a “step-by-step” approach.

#FrontlineTonight | Ikinalat na umano sa dark web ang mga na-hack na datos mula sa #PhilHealth.

Giit naman ng korporasyon, protektado pa rin ang mga mahahalagang impormasyon ng mga miyembro nito. #News5 | via @iBrianeDP pic.twitter.com/Qr5Nuzv00s

— News5 (@News5PH) October 3, 2023

While PhilHealth maintained that the members’ database remains intact, it still reminded its members to be extra cautious to avoid compromising their data.

“We continue to appeal to our members to remain vigilant and to refrain from opening, sharing, liking, or reposting malicious posts as it only magnifies the damage caused by the perpetrators,” said PhilHealth, vowing to “strengthen our information security measures” in line with data privacy measures.

Filipinos could not help but express their disappointment because of the poor systems that the government has in place to protect data. Others also called on PhilHealth to do better to safeguard the information it has because of the negative implications of a data breach.

The authorities stressed that they will hold accountable the hackers for their illicit actions.

So far, PhilHealth said the HCI Portal, the electronic premium remittance system, and the electronic PhilHealth acknowledgement receipt are already back online as of this morning.

Privacy Statement

Our Privacy Commitment

TV5 Network Inc. values and respects your privacy. We are committed to safeguarding your personal data in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations.

We have developed a Privacy Policy that adopts and observes appropriate standards for personal data protection. While our Privacy Policy sets out the general principles governing the collection, use, and disclosure of our users’ personal information, our Privacy Commitment seeks to inform you more about TV5’s privacy practices.

Why do we collect your personal information (as applicable)?

We may collect and maintain basic information about you as site user of TV5 sites for the following purposes:

To deliver news and updates on current events, sports, esports and entertainment;
To share livestreams of news and sports events;
To understand our viewers’ needs and preferences;
To meet legal and regulatory requirements; and
To perform other processes or disclosures that are required to comply with pertinent laws, rules, or regulations.

Where do we get your personal information?

There are several ways we collect your personal information.

Information that you personally provided.

Most of the personal information we have are those that you have provided us when you:
- Register to our programs or services;
- Inquired, filed a complaint or requested for our services;
- Took part in our research and surveys; and/or
- Became our Partner, Vendor, Contractor or Supplier.

Information we collect during your engagement with us

We also collect information as you use our products and services, like:
- Viewing our websites;
- Activities that are being tracked by our website cookies;
- Calling our hotline;
- Using our apps, websites, and self-service channels and portals; and/or
- Joining our promos, prize raffles, or rewards and loyalty programs.

Information we collect from other sources

Other means of collection of information may be through:
- Our market research initiatives;
- When you visit and use our websites and mobile application; and
- Subsidiaries, affiliates, and third-party business partners to whom you have given consent to share your information to us.

When do we disclose personal information?

There may be instances when we are required to share the information you provided us. In such cases, we ensure that your personal information will be disclosed on a confidential manner, through secure channels and in compliance with the Data Privacy Act and other privacy laws.

We will never share, rent, or sell your personal information to third parties outside of TV5 except in special cases where you have given consent, and in cases described in our privacy policy.

In some instances, we may be required to disclose your personal information to our agents, subsidiaries, affiliates, business partners and other third-party agencies and service providers as part of our regular business operations and for the provision of our programs and services. This means we might share your information with our service providers, contractors, and professional advisers who help us provide our services.

How we protect your personal information

The integrity, confidentiality, and security of your information is important to us. We have implemented technical, organizational, and physical security measures that are designed to protect your information from unauthorized or fraudulent access, alteration, disclosure, misuse, and other unlawful activities.

We also put in effect the following safeguards:

We keep and protect your information using a secured server behind a firewall, encryption and security controls;
We keep your information only for as long as it is necessary for us to (a) provide the products and services that you avail from us, (b) for our legitimate business purposes, (c) to comply with pertinent laws, and (d) for special cases that will require the exercise or defense of legal claims;
We limit the access to your information only to qualified and authorized personnel who are trained to handle your information with strict confidentiality;
We undergo regular audits and rigorous testing of our infrastructure’s security protocols to ensure your data is always protected;
We promptly notify you and the National Privacy Commission when sensitive personal information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person; and
We let you update your information securely to keep our records accurate.

TV5 will not collect, use, or disclose your personal information for any purpose other than the purpose that you may have given your consent for.

What are your choices?

We make sure that we have your consent to continue to collect, use, and disclose your personal information for the purposes that we have identified. We want you to know that you may object or withdraw your consent and/or edit your consent preferences at any time.

If you wish to have access to the personal information in our custody or if you think that the personal information you provided is incomplete, or otherwise inaccurate, you may get in touch with our Data Protection Officer through the contact details provided below. In some instances, we may request for supporting documents or proof before we effect requested changes.

Data Protection Officer
TV5 Network Inc.
Reliance corner Sheridan Streets
Mandaluyong City
tv5dataprivacy@tv5.com.ph

What happens when there are changes in our Policy?

From time to time, we may update our privacy policy and practices to comply with changes in applicable laws and regulatory requirements, adapt to new technologies and protocols, and align with the best practices of the industry.

You will be provided notices if the changes are significant and, if we are required by law, we will obtain your updated consent.