Philippines’ Manila The National Privacy Commission issued a warning to anyone handling and sharing personal information that had been obtained through a breach at the Philippine Health Insurance Corp. (PhilHealth) that they might be prosecuted.
The NPC claimed in a statement on Tuesday that private information stolen from PhilHealth was “being shared illicitly.”
“We wish to underscore the seriousness of this circumstance and the harsh penalties that await anyone who processes, downloads, or disseminates this data without a valid reason or consent,” the privacy commission stated.
A punishment ranging from P500,000 to P2 million and up to three years in prison are imposed on those found guilty of processing personal information without authorization under Section 25 of the Data Privacy Act of 2012.
Even harsher punishments, however, are associated with the unapproved handling of sensitive personal data: three to six years in prison and a fine of P500,000 to P4 million.
According to NPC, “sharing such compromised data exposes affected individuals to a range of risks, including fraud, extortion, blackmail, identity theft, and other malicious activities.”
The NPC and law enforcement organizations are among the entities to whom the commission advised the public to submit any evidence of leaked data.
Additionally, it urged processors and controllers of personal information to bolster their data security protocols.
Prior to this, the NPC disclosed that a “staggering” volume of files—roughly 734 gigabytes worth—had been stolen from PhilHealth, comprising private and sensitive data.
In order to determine the extent of the breach and pinpoint the accountable officials, the commission started an investigation.
Prior to this, PhilHealth recommended that people change their online account passwords and enable multi-factor authentication as preventative measures against fraudulent activity.
The state health insurance claims that only personnel workstations and application servers were impacted by the malware.
