Millions of PhilHealth members may have been affected by the recent data breach, according to the Department of Information and Communications Technology (DICT). Jeffrey Dy, the cybersecurity Undersecretary for DICT, revealed this alarming figure during the launch of the agency’s Cybersecurity Month on Monday, October 9.
Although Dy declined to provide an exact number due to the potential presence of duplicate data, he emphasized the magnitude of the breach, stating, “It’s not the entire [member] database, but it is a significant number.”
The investigation has revealed that the stolen PhilHealth data, which was initially published on the dark web on October 3 and subsequently on the regular web and Telegram on October 5, amounts to approximately 734 gigabytes uncompressed. The DICT has made significant progress in analyzing this data, with Dy noting they are about 90% through their examination.
This estimate is a considerable leap from the earlier report by GMA on October 7, which indicated only thousands were potentially affected. Following the breach, GMA also reported a recommendation from DICT to issue new PhilHealth ID numbers (PINs) as a measure against fraudulent claims. This comes after PhilHealth’s October 2 notice confirming that the stolen data included PINs. Footage analyzed by Rappler displayed member contribution receipts bearing the full name, PIN, and contribution amount of members.
Furthermore, DICT secretary Ivan Uy clarified that while the primary servers housing membership data remained unaffected, 92 workstations that accessed this data were compromised. Consequently, the information stored on these workstations became part of the stolen data.
Uy also discussed the confidential budget for 2024, expressing concerns over its reduction in recent years. The proposed budget is P300 million, a figure questioned by Senator Grace Poe who inquired about the utilization of the P1.2 billion allocated for 2019 and 2020. In response, auditors confirmed that only P400 million was used, while the remaining P800 million was redirected to the government’s COVID-19 response efforts.
Highlighting the urgent need to address cyber threats, Secretary Uy remarked on the diminishing cybersecurity budget, drawing an analogy that as the magnitude of the threat increases, the resources to combat it seem to decrease proportionately.