Press Statement on Alleged PhilHealth Data Breach

The National Privacy Commission (NPC) is fully committed to safeguarding personal data and ensuring the privacy of all individuals. Today, on the 25th of September 2023, we were notified by the Philippine Health Insurance Corporation (PhilHealth) regarding an alleged ransomware attack, prompting immediate action from the NPC.

The Complaints and Investigation Division of the NPC has taken swift measures to address this incident. We have issued a Notice to Explain to PhilHealth, seeking comprehensive information regarding the nature and extent of the data breach. Furthermore, we have issued an Order to Appear, compelling PhilHealth's presence at a hearing scheduled for tomorrow, the 26th of September 2023. This will be followed by a Notice of Onsite Investigation on the 28th of September 2023. These actions have been initiated to evaluate the impact of the alleged data breach and to assess the mitigation efforts undertaken by PhilHealth, with a primary focus on protecting the interests of the affected beneficiaries and contributors.

In strict adherence to NPC Circular No. 2016-03, we expect PhilHealth to provide a complete report within the next two days. This report must offer a comprehensive account of the breach, including details on the personal data that may have been compromised, and the measures implemented to contain and rectify the situation.

The NPC is dedicated to ensuring the privacy and security of personal data for all citizens. Rest assured, we will keep the public informed of developments in this matter as they become available.

For inquiries and updates on this incident, please visit our official website or contact our Public Information and Assistance Division thru [email protected].