Maxicare breach latest in private sector; NPC probes as data of 1,000 major firms exposed | Lorenz S. Marasigan and Andrea E. San Juan (2024)

CYBERSECURITY watchdog Deep Web Konek reported on Tuesday an alleged data breach involving major healthcare provider Maxicare Philippines, exposing the data of more than 1,000 major companies.

The breach, attributed to a threat actor known as “OPCODE-90,” has exposed over 22,800 lines of sensitive information and is now being sold to the first three buyers in the dark web.

“This breach was already notified to us since yesterday but we cannot confirm it back then. Today, the breach was posted on a hacker forum,” Deep Web Konek said.

The data includes detailed personal, member, and booking information. Specifically, it reveals sender details such as full names, unit/vendor, company, email, and Go Rewards code.

Member details include full names, company name, 16-digit Maxicare card number, corporate code, account type, date of birth, sex, mobile numbers, email addresses used for confirming schedules and sending results, other remarks, and VIP status.

Member booking details include location information such as province, country, ZIP code, city, barangay, street, village/subdivision, landmark, preferred dates and times, and a list of requested procedures.

According to Deep Web Konek, over 1,000 major companies, including high-profile organizations such as ABS-CBN, Accenture, Cebu Pacific, Bank of the Philippine Islands, Mercury Drug, Pfizer, and Manulife, among many others, were involved. Other popular companies included in the list whose data were allegedly compromised are: Unilever Philippines, Nestle Philippines, PayPal Philippines, Inc., Pfizer Inc., Allianz PNB Life Insurance Inc., Canva Solutions Inc., Cebu Air, Inc.

Deep Web Konek said Maxicare Philippines informed affected members about the breach on June 16, following the unauthorized access detected on June 13, 2024.

The breach specifically targeted Lab@Home, a third-party provider for laboratory requests from home, which operates a separate database from Maxicare’s systems.

NPC report

Maxicare Healthcare Corporation is the latest addition to the list of alleged data leaks in the country, according to the latest report of the National Privacy Commission (NPC).

“The NPC received a data breach notification report from Maxicare Healthcare Corporation through the NPC’s Data Breach Notification Management System on June 16, 2024 at 12:09 PM,” the country’s privacy watchdog told reporters in a Viber message on Tuesday.

While the NPC itself cannot provide further information other than the date and time of notification, the privacy body confirmed that they have been notified of the breach after a social media post by Deep Web Konek, a local cybersecurity group, started to lurk online.

With the subject “Notification to Data Subject,” the Maxicare notification posted on the website of DWK read, “On 13 June 2024, Maxicare Healthcare Corporation (“Maxicare”) was informed that an unauthorized person/s may have gained access to the personal information of our members submitted to Lab@Home.”

“Lab@Home maintains a separate database for this process, and Lab@Home’s systems are not integrated with that of Maxicare. Nonetheless, as champion of your privacy rights, Maxicare is making this notification to inform you of the incident and to minimize any further risk on your part,” the notification of Maxicare which was posted on the website of DWK read.

Last June 6, NPC provided updates on data breach notifications involving some of the large companies in the country.

“Robinsons Land notified us of a data breach on June 1,2024. Additionally, Toyota notified us of a breach on May 14,2024. The reports are currently under evaluation,” NPC said in a statement on June 6.