MANILA — State insurer Philippine Health Insurance Corp. (PhilHealth) may be held liable for a data breach in the agency, even if it was also a victim of a ransomware attack.

Oliver Xavier Reyes, a lawyer specializing in cybercrimes, said those behind the breach are punishable under the Cybercrime Prevention Act of 2012.

"Pero dahil information na apektado dito ay personal information, may isa pang batas na papasok: ang Data Privacy Act," Reyes said over Teleradyo Serbisyo.

(But because the information affected by the breach is personal information, there is another law that comes into play: the Data Privacy Act.)

• Hackers demand $300,000 ransom for PhilHealth database
• PhilHealth system may be restored on Sept. 27 after ransomware attack: exec

Under the Data Privacy Act of 2012, Reyes said, those behind the ransomware attack as well as personnel controlling or handling personal data that may have been affected by the breach would face criminal and administrative cases.

"Kapag nakita na mayroong negligence dahil sa paghahawak ng data, at dahil sa negligence na ito — hindi pag-adopt ng angkop na cybersecurity measures for the protection of personal data — pwede silang maging criminally at administratively liable dito sa Data Privacy Act," he said.

(If negligence is found in the handling of data... because of that negligence — failing to adopt appropriate cybersecurity measures for the protection of personal data — they can be held criminally and administratively liable under the Data Privacy Act.)

He said the Data Privacy Act has a specific provision holding data handlers responsible for damage to the owners of the personal data.

"Kung ahensya ito o korporasyon ito, 'yung mga officers 'yung pinaka may-ari o pinakahepe, maaari silang maging criminally liable for negligence," he added.

(If it is an agency or corporation, then the officers, or the owners or the head of agency may be held criminally liable for negligence.)

EVERYONE IS AFFECTED WHEN THERE IS A DATA BREACH

He also noted the government's efforts in boosting cybercrime investigations and prosecution but noted that this should have been strengthened years ago.

"Ang cybercrime ay nakakaapekto hindi lamang sa mga mayayaman pati na rin sa kung sinong tao basta may digital record," he said.

(Cybercrime doesn't just affect the rich, but anyone who has a digital record.)

PhilHealth membership is mandatory for employees while the self-employed can pay insurance contributions as voluntary members.

"Andiyan ang ating personal information, andiyan ang ating mga data. Kung sino man ang nagtatago nito — gobyerno man o private sector, tayo ay apektado kung may breach at nanakaw itong mga information natin," he said.

(Our personal information, our data. Anyone who collects and stores these, whether the government or the private sector — we are all affected if there is a breach and our information is stolen.)

• Govt must prepare consumers for potential impact of PhilHealth data breach: groups

He said that government, firms, and the public should consider that the data has likely been compromised after the PhilHealth breach.

There should also be a "culture of cybersecurity" in agencies and firms handling data, just as its personnel should also be equipped in responding to data breaches.

PhilHealth earlier admitted its outdated cybersecurity system enabled hackers to gain access.

The National Privacy Commission (NPC) this week said it was looking into PhilHealth’s accountability as the cyberattack could have exposed its members' data.

• Govt must prepare consumers for potential impact of PhilHealth data breach: groups

An NPC official earlier said PhilHealth officials may face sanctions over the breach.

PhilHealth meanwhile has said that its membership data and claims, contribution, and accreditation information are stored in a separate database and are intact.

They said these data are completely unaffected by the cyberattack.

Watch more News on iWantTFC