13,000 Members Affected in the Maxicare Data Breach
Maxicare Healthcare Corp, one of the largest health maintenance organizations (HMOs) in the Philippines, has reported a major data breach to the National Privacy Commission (NPC) that exposed the personal records of around 13,000 members.
According to a report by the Philippine Daily Inquirer on June 19, 2024, the NPC said it received a data breach notification from Maxicare over the weekend through its Data Breach Notification Management System (DBNMS). However, the NPC did not disclose any further details about the incident due to an ongoing investigation.
Threat Actor ‘OPCODE-90’ Releases Sensitive PII from Maxicare Philippines
On the same day, a cybersecurity monitoring firm called Deep Web Konek reported on Facebook that a threat actor known as “OPCODE-90” had leaked a file containing sensitive personal information from Maxicare in a data marketplace. The 33.3MB file contained over 22,800 lines of data, including names, email addresses, Maxicare member numbers, dates of birth, gender, mobile numbers, and VIP statuses of over 13,000 individuals.
In a statement published by the Philippine Daily Inquirer on July 10, 2022, Maxicare confirmed that the personal information of approximately 13,000 members, which is less than 1% of its total membership base, had been exposed in the data breach.
The compromised information was accessed without authorization from the booking platform of one of Maxicare’s third-party homecare providers called Lab@Home. Details like names, email addresses, and booking request information were exposed, but Maxicare clarified that no sensitive medical data was involved.
Impacted Members, Response and Investigation
Maxicare has a total of 1.8 million members across the Philippines. The exposed records represent a very small percentage of less than 1% of its member base. However, any unauthorized exposure of personal data is still a serious privacy concern.
After being notified of the breach, Maxicare launched an investigation together with cybersecurity experts and the NPC. Emergency measures were put in place to ensure the security and privacy of the approximately 13,000 members who were potentially affected.
The company advised that the data breach was isolated to Lab@Home’s separate booking database and did not compromise Maxicare’s own core systems or customer data in any way. Both Maxicare and the NPC continue to look into the full scope of the incident. Under Philippine law, companies have 72 hours to report data breaches to the NPC, which Maxicare complied with.
Frequency of Data Breaches in Philippines Has Increased and So Does the Responsibility of Protecting Sensitive Personal Data,
This Maxicare data breach came after similar incidents reported by other large Philippine companies in recent months, according to reports. Motor vehicle giant Toyota PH and property developer Robinsons Land also informed the NPC in May and June 2022 respectively of data breaches compromising customer records.
A consumer rights advocacy group in the country called Malayang Konsyumer expressed alarm over the frequency of these leaks involving major private sector organizations. They believe the technical capabilities of the attackers are advancing as they are now able to infiltrate even the private consumer databases of large corporations.
The group has urged law enforcement to fully investigate and apprehend those responsible for the rising number of data breaches in the Philippines. They also called for the NPC and DICT to further strengthen data privacy laws and protections for Philippine consumers.
The Maxicare incident demonstrates the ongoing risks of data security breaches for both organizations and individuals in the Philippines. As one of the largest data breach victims in the country to date, it will be closely watched as a major test of the country’s private and public sector response to protecting personal data in accordance with laws like the Data Privacy Act.