The National Privacy Commission (NPC) disclosed on Saturday, April 25, that it is investigating complaints for privacy violations it received in the last few weeks from Covid-19 patients.
In a statement, the privacy agency said the breach notifications involved the unauthorized disclosure of sensitive personal information of suspect, probable, and confirmed Covid-19 patients.
“The NPC is now looking into said breach incidents, in accordance with our internal procedures and in collaboration with concerned Personal Information Controllers (PICs), for remediation and other purposes within the bounds of the Data Privacy Act of 2012,” said NPC chair Raymund Liboro in a statement.
From March 15 to April 23, the NPC said it received a total 17 Covid-19-related personal data breach notifications — seven were from Personal Information Controllers (PICs), and 10 were from third-parties (non-PICs, which include ordinary citizens). A total of at least 154 data subjects were affected (composed of suspect, probable, confirmed Covid-19 patients, and PUMs).
Notifications received from PICs:
Notifications received from non-PICs:
To avoid similar instances from happening again, the NPC called on health institutions and their Data Protection Officers (DPOs) to strengthen the protection of patient data.
“After all, fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the Covid-19 pandemic,” the agency said.
“Patients will only fully and truthfully disclose the needed information to authorities if they feel assured that the information will be properly used for treatment, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure, which has proven to result in stigma-driven physical assaults, harassments, and acts of discrimination,” it stressed.
The NPC laid down organizational, physical and technical security measures that health institutions and their staff may enforce to protect patient data against unauthorized disclosure:
- Regularly remind officials and employees of their ethical and legal duty to protect patient data. This reminder may come in the form of strategically located posters or print outs informing every one of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced.
- Establish access control for patient data based on least privileges. Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.
- Equip facilities with physical access controls. Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use.
- Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.
- Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.
- Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals.
- Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.
- Communicate securely. Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.