Two advocacy groups on data privacy urge the Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) to warn and prepare Filipino consumers, and institutions that have received PhilHealth member information to deliver their services, on the potential impact of the PhilHealth data breach through a Medusa malware attack discovered last September 22.
“Compared to the Comelec data breach in 2016, the potential impact of this incident is even bigger as all working Filipinos are mandatorily enrolled, and need to pay monthly contributions. We urgently request the DICT and NPC that even if only a fraction of the extent of the breach has been revealed by the threat actors, they can already guide consumers, and institutions that use PhilHealth information on what to do in case their personal information was compromised by the breach,” said Sam Jacoba, President of the National Association of Data Protection Officers of the Philippines (NADPOP), the Philippines’ first advocacy group of Data Protection Officers.
Lito Averia, President of the Philippine Computer Emergency Response Team (PH-CERT), a volunteer organization that assists individuals and institutions on information security issues, agree that the regulators should already anticipate the worst case scenario as it is better to warn Filipino consumers as soon as possible as the threat actors can already exploit the illegally accessed personal information.
“PhilHealth, with the help of the DICT, is releasing information on the breach bit by bit. This is actually understandable as the discovery process for external security incidents is complicated, but they can already assume that a significant number of member data was compromised based on their recent statement,” Averia said. “Thus, better prepare PhilHealth members for the worst case scenario so they will not be caught off-guard and suffer potential financial loss or be a victim of identity theft.”
NADPOP and PH-CERT also offered to provide a third-party perspective and assist PhilHealth in its current breach investigation with the DICT and NPC.
“If PhilHealth needs unbiased third-party support, we have volunteers who are ready to assist in digital forensics and in the data breach management needs of the agency,” Jacoba and Averia jointly offered. “We are extending our support to PhilHealth and its impacted employees and members during this time as we know the value of all of us helping each other during these times. It takes a community to protect personal information.”
NADPOP and PH-CERT just concluded CyberSecConPH last September 19 attended by more than 100 cybersecurity professionals, which kickstarted the formation of a Cybersecurity Community of Practice in the Philippines that will connect with the ASEAN-Japan Cybersecurity Community this week in Tokyo. On October 25 to 27, in support of Cybersecurity Month, the two groups will host an online conference on Governance, Risk and Compliance (GRC) that will elevate the knowledge and skills of Data Protection Officers (DPOs) and Cybersecurity Professionals in fighting against internal and external threat actors. The conference is by-invitation only and exclusive to active NADPOP and PH-CERT community volunteers, members and partners.