THE National Privacy Commission (NPC) has issued a “Guidance” to all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to underscore the urgent concern posed by the potential proliferation of counterfeit PhilHealth Identification Cards (IDs) in light of the leak of PhilHealth data.
The country’s privacy body issued “PhilHealthLeak Guidance No. 1” on Heightened Vigilance Against Counterfeit PhilHealth IDs on Wednesday.
According to NPC, on October 6, its Complaints and Investigation Division concluded the initial analysis of the 650 gigabytes (GB) compressed data files linked to the Medusa Ransomware Group’s data dump.
NPC said it was determined that a portion of this data dump contained personal and sensitive personal information of PhilHealth members.
In light of these findings, NPC said it “strongly urges” PICs and PIPs, particularly banks and non-bank financial institutions, hospitals, and public telecommunications entities (PTEs) to exercise heightened vigilance in detecting and preventing the fraudulent use of counterfeit PhilHealth IDs during various transactions.
The privacy body highlighted the “associated risks” to these PICs and PIPs.
For banks and non-bank financial institutions, NPC warned of the risk of identity theft and financial fraud. It said that fraudsters may exploit fake PhilHealth IDs to open fraudulent bank or financial accounts or conduct unauthorized financial transactions. The privacy body said this can lead to “significant financial losses” for both bank and its customers.
NPC also flagged the risk of money laundering, wherein counterfeit IDs can facilitate money laundering activities within the banking system, potentially exposing banks to legal and regulatory consequences.
For public and private hospitals, NPC warned of the risk of medical fraud, where fraudulent IDs can be used to claim healthcare benefits and services, leading to unwarranted financial burdens on hospitals and potentially compromising patient care.
NPC noted there could also be patient data breach where the use of counterfeit IDs can result in unauthorized access to patient records and sensitive medical information, jeopardizing patient privacy and confidentiality.
For public telecommunication entities, NPC said there could be identity theft in SIM Registration wherein counterfeit IDs may be used in the registration of SIM cards, enabling malicious actors to engage in criminal activities such as fraud, harassment, and scams while remaining anonymous.
With this, the NPC is reminding all concerned PICs, PIPs, and data subjects “to take this advisory seriously and remain vigilant, refraining from any actions that could jeopardize their personal data.”