Philippine Maxicare HealthCare reports data breach

Maxicare HealthCare Corporation has notified its members about a potential data breach that may have compromised personal and medical information. Maxicare HealthCare Corporation is a leading Health Maintenance Organization (HMO) based in the Philippines.

The breach was identified on June 13, 2024. The compromise originates from Lab@Home, a third-party laboratory service provider that operates a separate database not connected to Maxicare's systems. The breach began was caused when a threat actor found the login credentials of Maxicare's third-party service provider online. The attacker exploited these credentials to access and download data.

Compromised data includes personal and medical information submitted to Lab@Home, such as:

• Full names
• Email addresses
• Home addresses
• Requested procedures
• Maxicare card numbers
• Account types
• VIP status
• Medical booking details

The breach has impacted over 1,000 companies subscribed to Maxicare’s group insurance policy. Major companies affected include:

• Accenture
• Cebu Air (operator of Cebu Pacific)
• AIA Philippines
• Allianz PNB
• BPI AIA Life Assurance Corporation

Maxicare is investigating the breach and working with the National Privacy Commission (NPC) to secure personal data. The NPC is expected to take action to ensure data protection.

Maxicare said the "alleged unauthorized access" to its data affected around 13,000 members representing less than 1% of its members. No other details are disclosed.