In a determined response to the ransomware attack by the Medusa Ransomware Group, which compromised the personal data of millions of Filipinos, the National Privacy Commission (NPC) has unveiled a new tool designed to empower citizens, particularly senior citizens, to verify the security of their data. The NPC launched the "Na-leak ba ang PhilHealth Data ko?" portal on October 13, 2023, amidst a disconcerting data breach involving the Philippine Health Insurance Corporation (PhilHealth).

An incident that came to light on October 5, 2023, saw approximately 734 GB of data purportedly exfiltrated by the Medusa Ransomware Group from PhilHealth's database and subsequently posted online. The incident brought serious concerns about data privacy, identity theft, financial fraud, medical identity theft, and other potential illicit activities stemming from the misuse of the personal data of PhilHealth's beneficiaries.

The portal contains information pertinent to individuals aged 60 and above, equating to approximately one million records from an estimated pool of 8.5 million senior citizens. This initiative primarily seeks to safeguard this demographic due to their heightened vulnerability to exploitative acts such as phishing attacks, extortion, and blackmail.

The "Na-leak ba ang PhilHealth Data ko?" portal is an individualized search tool allowing Filipinos to ascertain whether their personal information was included in the leaked data by entering their PhilHealth Identification Number (PIN). Privacy Commissioner Atty. John Henry D. Naga articulated that the NPC developed the portal in an "exceptionally short period," reflecting an unwavering commitment to protecting citizens' personal information. The initiative also underscores the commission's resolve to fortify data privacy and citizens' peace of mind after the data leak.

Despite its foundational necessity, the portal strictly pertains to this specific incident and does not hold information regarding data breaches from other incidents or sources. The NPC was adamant that a negative result from this search does not assert a general assurance of data security in other areas.

The "Na-leak ba ang PhilHealth Data ko?" initiative also acts as a preventive measure to mitigate potential legal consequences for individuals. It emphasizes that downloading, processing, or utilizing the exfiltrated data from PhilHealth may be considered "unauthorized processing", infringing upon the Data Privacy Act of 2012, particularly Section 25.

By providing a compliant platform through which individuals can check the status of their personal data, the portal enables Filipinos to safeguard their personal information, ensuring they do not unwittingly violate the law while attempting to verify the security of their data.

In the forthcoming period, the NPC commits to consistently updating the portal's database to incorporate the most recent information, gradually encompassing data from all age groups affected by the PhilHealth data leak incident. Consequently, it will serve as an ongoing, reliable resource for evaluating the security of personal data amidst the evolving situation.

To utilize the "Na-leak ba ang PhilHealth Data ko?" portal, citizens can visit https://philhealthleak.privacy.gov.ph/. Additionally, the NPC can be reached at [email protected] for further inquiries or more information.

"We would like to emphasize that companies and individuals processing personal data have the responsibility to notify all affected data subjects. However, NPC understands the urgency of this matter and cannot afford to wait for them to take action while citizens are concerned and uncertain."  Roren Marie Chin, Chief for Public Information and Assistance Division of the National Privacy Commission (NPC), said.

In a climate where data privacy has become paramount, such innovative solutions stand not only as reactive measures but also as a testament to a government's proactive commitment to ensuring the digital safety and security of its citizens' personal information.

What if your details are found in the database?

The NPC recommends taking proactive measures to safeguard your data against potential risks like identity theft, financial fraud, phishing attacks, extortion, blackmail, medical identity theft, reputational damage, and invasion of privacy.

Jeffrey Ian Dy, Undersecretary for Connectivity, Cybersecurity, and Upskilling at the Department of Information and Communications Technology (DICT), cautioned PhilHealth members to be careful. "If you're in the leaked PhilHealth database, we advise that you change your passwords for your online accounts. Avoid using personal information such as your birthday or a relative's name in your new password. Enable multi-factor authentication. And be vigilant not to click any link sent through text or email." Dy said.

"We also caution the public against messages that may circulate informing them that they are victims of the data leak and then asking them to click on a link to remedy the situation. Government will not send them any link to click via text or email." Dy added.

The National Privacy Commission has given recommendations and steps should the platform inform you that your PhilHealth ID number is in the leaked database.

Change your passwords. Change the passwords for all your online accounts, including your PhilHealth account, email account, and bank accounts. Use strong passwords at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols.

Enable multi-factor authentication. Multi-factor authentication (MFA) adds an extra layer of security to your online accounts. It requires you to enter a code from your phone in addition to your password when logging in.

Monitor your accounts. Monitor your bank accounts and credit reports for any suspicious activity. You can also sign up for a credit monitoring service to alert you of any changes to your credit report.

Be wary of phishing scams. Phishing scams are emails or text messages that trick you into revealing your personal information. Be careful about clicking on links in emails or text messages, even if they appear from a legitimate source.