The National Privacy Commission (NPC) urged the public to take "extra caution" after a "staggering" 734 GB worth of data from the Philippine Health Insurance Corporation (PhilHealth) was leaked.
In a statement, the NPC advised using strong passwords and multi-factor authentication, as well as being extra cautious toward unexpected calls, texts, and emails.
A group called Medusa claimed to have hacked into Philhealth computers and stole the personal information of its beneficiaries, holding it for ransom worth $300,000 (P17 million). Data include name, address, birthday, sex, mobile number, and identification number.
The NPC said it already launched an investigation and had completed its initial analysis of 650 GB of compressed files from the data dump claimed by Medusa.
"Upon extraction, these files revealed a staggering 734 GB worth of data, including personal and sensitive personal information,” the NPC said in a statement.
PhilHealth, for its part, said it's in the process of notifying members who were affected by the leak.
To date, PhilHealth has at least 103 million beneficiaries.
The NPC noted that PhilHealth “implicitly acknowledged a degree of negligence on their part."
“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the commission said.
The NPC warned against potential violations of the Data Privacy Act of 2021, which carries a penalty of imprisonment from one to three years and a fine of P500,000 to P2 million for unauthorized access.
Providing access due to negligence, meanwhile, leads to imprisonment from three years to six years and a fine of P500,000 to P4 million.
Improper disposal of data results in imprisonment of six months to two years and a fine of P100,000 to P500,000.
Those involved in the improper disposal of data will face imprisonment of one year to three years and a fine of P100,000 to P1 million.