In Re: MediCard Philippines, Inc. NPC 18-205 Resolution

100%

IN RE: MEDICARD PHILIPPINES, INC.

RESOLUTION

This Resolution refers to the compliance of MediCard Philippines, Inc. to the Resolution dated ten December twenty twenty-one.

Facts

WHEREFORE, premises considered, the request of MediCard Philippines, Inc. for exemption of notifying the remaining one thousand two hundred forty-one affected data subjects is hereby DENIED.

Further, MediCard Philippines, Inc. is ORDERED to notify the remaining affected data subjects that are not yet notified through e-mail based on the available e-mail addresses in MediCard's database and at the same time post the notice couched in general terms on its official website for faster dissemination of information.

Finally, MediCard Philippines, Inc. shall submit to the Commission within fifteen days from receipt of this Resolution a compliance report, which shall include details of notification to the data subjects (i.e., proof of the email notifications, postings, and their respective links).

SO ORDERED.

We at MediCard Philippines, Inc. protect your privacy seriously and recognize our duty to take care of our customers whose data we hold. As such, we take every precaution to ensure that your personal information is protected at all times while maintaining our transparency to our customers.

Last October twenty eighteen, we reported a data breach to the National Privacy Commission involving a billing statement that was unintentionally delivered to the wrong company. The notification was made pursuant to the mandatory data breach notification procedure of the National Privacy Commission. Unfortunately, data of some AIG Shared Services employees, limited to: employee number, MediCard ID number, name, and age were exposed in this data breach.

To validate this, if you have been an active employee of AIG Shared Services - Business Processing Inc. in October twenty eighteen, please access the following link: and enter your Member ID and date of birth.

We sincerely apologize that this has happened, and we want to assure you, as our valued member, that we have taken steps to prevent a recurrence of the incident. Also, the company has been in close coordination with the National Privacy Commission to address this.

Should you have clarifications, feel free to reach us by mail at privacy@medicardphils.com.

On fifteen March twenty twenty-two, MediCard submitted screenshots of its webpage posting and its e-mail notifications.

In relation to the e-mail notifications, MediCard submitted its Compliance dated fifteen March twenty twenty-two and twenty-five May twenty twenty-two. Along with the twenty-five May twenty twenty-two Compliance are the sworn affidavits of FC and JM, the persons responsible for notifying the affected data subjects through e-mail.

In Mr. FC's affidavit, he attested that on nine March twenty twenty-two, the e-mail notification was sent via the email address, privacy@medicard.phils.com, with the subject: MANDATORY PERSONAL DATA BREACH NOTIFICATION to a total of three hundred data subjects following the required e-mail settings: (a) request a read receipt and (b) request a delivery receipt. He was able to send the e-mail notification to the three hundred e-mail addresses and the delivery receipts provided were "Delivery to these recipients or groups is complete, but no delivery notification was sent by the destination server." Among the three hundred email notifications, three were not delivered due to "E-mail wasn't found at gmail.com", "E-mail address you entered could not be found", and "Your message could not be delivered." Despite repeated attempts to contact the recipients' email system, it did not respond.

While in Ms. JM's affidavit, she attested that on nine March twenty twenty-two, she sent an e-mail notification with subject: Mandatory Personal Data Breach Notification to a total of three hundred one data subjects via the email address, privacy@medicardphils.com. She was able to send the e-mail notifications to the three hundred one e-mail addresses. Some of the delivery receipts stated, "Delivery to these recipients or groups is complete, but no delivery notification was sent by the destination server," while only five have "read receipts". Among the three hundred one e-mail notifications, six were identified as "Undeliverable" and with a "Failure Notice" due to "E-mail wasn't found at gmail.com" and "Delivery has failed to these recipients or groups".

Medicard was able to successfully deliver five hundred ninety-two e-mail notifications out of the total six hundred and one e-mail addresses available to it. Nine e-mail addresses available were not delivered for reasons: "E-mail wasn't found at gmail.com", "E-mail address you entered could not be found", "Your message could not be delivered", and "Delivery has failed to these recipients or groups".

Discussion

Overview

The resolution discusses MediCard's compliance with a directive issued by the National Privacy Commission regarding notifying affected data subjects following a data breach. It analyzes the notification procedures undertaken and concludes that the alternative means of notification employed were sufficient due to the impracticality of individual notifications for some data subjects.

Key Points

1MediCard was ordered to notify 1,241 affected data subjects about a previous data breach
2The Commission found MediCard compliant with notification requirements despite some delivery failures
3Alternative notification methods were deemed acceptable when individual notice was impractical
4The resolution concludes that the case is now closed with no further actions required from MediCard

Details

Category: Law and Legal Studies

PDF
Joevanie Arellano Tabasa vs. Hon. Court of Appeals, Bureau of Immigration and Deportation, and Wilson Soluren
This document is a decision regarding the petition of Joevanie Arellano Tabasa, challenging his summary deportation by the Bureau of Immigration and Deportation after losing his U.S. citizenship and claiming his right to repatriation to the Philippines.
PDF
PCC Guidelines on Merger Remedies
These guidelines outline the Philippine Competition Commission's approach to assessing remedies for mergers and acquisitions that may substantially prevent, restrict, or lessen competition, explaining key principles, types of remedies, considerations for design, and the remedies process.
PDF
In the Matter of the Proposed Acquisition by Universal Robina Corporation of Assets of Central Azucarera Don Pedro, Inc. and Roxas Holdings, Inc.
This document is a decision issued by the Philippine Competition Commission regarding the proposed acquisition by Universal Robina Corporation of the assets of Central Azucarera Don Pedro, Inc. and Roxas Holdings, Inc., assessing the transaction's potential impact on competition in the relevant market.
PDF
In the Matter of the Proposed Acquisition by International Container Terminal Services, Inc. of Shares in the Manila North Harbour Port, Inc.
This document presents the Philippine Competition Commission's decision regarding the acquisition of shares in Manila North Harbour Port, Inc. by International Container Terminal Services, Inc., analyzing the competitive effects and market implications of the proposed transaction.
PDF
Manfredi and Others Judgment of the Court (Third Chamber) 13 July 2006
This document presents the judgment of the Court regarding preliminary rulings concerning the interpretation of Article 81 EC in relation to insurance companies involved in unlawful agreements affecting civil liability auto insurance premiums.