NPC Takes Firm Stand: Unwavering Commitment to Protect Data Privacy Rights in Wake of PhilHealth Data Breach

In an unyielding display of its commitment to safeguarding the privacy and security of personal data, the National Privacy Commission (NPC) has initiated an immediate, proactive investigation into potential violations of the Data Privacy Act of 2012 by the Philippine Health Insurance Corporation (PhilHealth) and its officials. This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth's systems.

On October 6, 2023, the Complaints and Investigation Division of the NPC has completed its initial analysis of 650GB worth of compressed files originating from the data dump claimed by the Medusa group. Upon extraction, these files revealed a staggering 734GB worth of data, including personal and sensitive personal information. In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend legal prosecution to the fullest extent permissible by law.

During a recent media interview, PhilHealth implicitly acknowledged a degree of negligence on their part, with one of their officials citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach. The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information.

In unequivocal terms, the NPC issues a stern warning to the public: Any individual or organization found to process, download, or share the exfiltrated data from PhilHealth will be held accountable for unauthorized processing of personal information and may face criminal charges.

Rest assured, the NPC stands firm in its resolve to combat any actions that contravene the Data Privacy Act of 2012, whether within government or private institutions. We pledge unwavering dedication to enforcing the necessary measures and will be relentless in holding those responsible fully accountable.

For inquiries and updates on this incident, please visit our official website at or contact us at [email protected]. Your data privacy matters, and your National Privacy Commission is here to protect it.