NPC calls for heightened security vs. fraud amid PhilHealth data leak

MANILA – The National Privacy Commission (NPC) on Wednesday called on banks, hospitals and telecommunications companies (telcos) to exercise “heightened vigilance” in detecting and preventing fraud following the data breach from the Philippine Health Insurance Corporation (PhilHealth).

In an advisory, the NPC warned companies that serve as personal information controllers (PIC) and personal information processors (PIP) to be wary of counterfeit PhilHealth IDs.

It noted that the NPC’s Complaints and Investigation Division concluded that a portion of the 650 GB data dump by the Medusa Ransomware Group contained personal and sensitive information of PhilHealth members.

In response, it warned banks and other financial institutions that such data could be used in identity theft and financial fraud by opening accounts and conducting transactions using leaked PhilHealth information.

“Counterfeit IDs can facilitate money laundering activities within the banking system, potentially exposing banks to legal and regulatory consequences,” it said.

For public and private hospitals, it said the data leak could be used in medical fraud or illegally claiming healthcare benefits as well as unauthorized access to sensitive medical information.

It also warned telcos that leaked PhilHealth information could be used in SIM registration identity theft.

“Counterfeit IDs may be used in the registration of SIM cards, enabling malicious actors to engage in criminal activities such as fraud, harassment, and scams while remaining anonymous,” he said.

Earlier, PhilHealth acting vice president of Corporate Affairs Group Rey Baleña said the investigation into the hacking incident is ongoing and advised that members who have been compromised would be notified.

The analysis, he said, is being done by the Department of Information and Communications Technology and is “nearing completion.” (PNA)