The National Privacy Commission (NPC) has launched an investigation to ascertain the full scope of the data breach involved in the Philippine Health Insurance Corp. (PhilHealth) ransomware attack, as it discovers over 700 gigabytes (GB) extracted from a data dump claimed to be from the Medusa hacker group.
In a statement over the weekend, the NPC said its complaints and investigation division on Oct. 6 completed its initial analysis of 650 GB worth of compressed files originating from the data dump claimed by Medusa.
Upon extraction, these files revealed a staggering 734 GB worth of data, including sensitive personal information, according to the NPC.
“In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials and recommend legal prosecution to the fullest extent permissible by law,” the NPC said.
In a viber message to reporters, NPC public information and assistance division chief Roren Chin said the investigation team lead by its chief, Michael Santos, are in the process of conducting a full inventory of the number of compromised personal information.
She added that it might take several days to peruse the entire 734 GB of data.
“We endeavor to complete our investigation in the soonest time possible without compromising thoroughness, depending also on the additional information that may come to light in the course of the investigation,” Chin said.
The NPC said it has initiated an immediate, proactive investigation into PhilHealth’s potential violations of the Data Privacy Act of 2012.
“This decisive action follows the unsettling revelation of a data breach where confidential information was illicitly obtained from PhilHealth’s systems,” the NPC said.
The privacy commission cited recent media interviews where PhilHealth implicitly acknowledged a degree of negligence on their part, with one of their officials citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach.
“The NPC will leave no stone unturned in its investigation into the potential negligence of PhilHealth officials and explore whether any efforts have been made to conceal pertinent information,” the privacy commission said.