MANILA, Philippines — The National Privacy Commission said Wednesday that it is investigating the potential negligence of the Philippine Health Insurance Corp. (PhilHealth) following a cyberattack that affected the insurer’s servers and workstations.
According to NPC, it is “currently assessing whether negligence was involved” on the part of PhilHealth before making any definitive statements.
“We are also looking if there is concealment and possible imposition of administrative fines, pending the outcomes of our investigation,” it said.
The privacy commission added that it has identified documents containing personal information such as identification cards and photographs. NPC is currently verifying whether these individuals have any connection to PhilHealth, either as employees or members.
In a statement clarifying the “urgent public advisory” issued Tuesday, PhilHealth maintained that the ransomware attack “did not affect our servers containing members’ private information.” It said that the membership data, claims, contribution and accreditation information are stored in a separate database and remain unaffected by the cyberattack.
PhilHealth insisted that the cyberattack affected only application servers and employees’ workstations.
“An inventory is being conducted in order to determine the extent of information which may have been exfiltrated from these workstations,” the state health insurer said.
It added that the notice was issued in compliance to the requirement of the NPC to reach out to and inform data subjects who may be affected by the malicious posts of the attackers.