The World Health Organization (WHO) has denied reports that the personal data of Filipinos who took the Covid-19 vaccines that were leaked to the dark web came from their servers.

“WHO does not collect, process or store any personally identifiable information (for example, names, email addresses, phone numbers, etc.) in relation to Covid-19 immunization,” the WHO said in a statement.

During the pandemic, the United Nations agency said it collected only aggregated data at population level from national health authorities, such as the total number of Covid-19 infections, deaths, and the number of vaccine doses administered. The same practice also applies to all other WHO member-countries.

These data are “crucial for monitoring the progress of Covid-19 vaccination efforts nationally and globally.”

“WHO does not have access to underlying personal data, which is the exclusive domain of governments,” it added.

The Department of Information and Communications Technology (DICT) had earlier confirmed that based on the monitoring of the Philippine National Computer Agency Response Team, the WHO was hacked and its database of Philippine and India Covid-19 vaccines were released to “platforms.”

“Reports that a data breach linked to WHO or WHO-hosted databases has occurred are false and inaccurate. WHO abides by principles related to personal data protection embodied in the United Nations Principles on Personal Data Protection and Privacy,” the UN agency said.

DOH role

Whether or not the WHO server was compromised, the Department of Health (DOH) may be held responsible for the data breach, according to a cybersecurity expert.

Francisco Ashley Acedillo, Director, Philippine Institute of Cybersecurity Professionals said the Data Privacy Act mandates the “security, accountability and responsibility of personal information” of Filipinos.

If the data was shared by the DOH to the WHO, then the DOH should also be equally liable, he added.

“The DOH’s act of sharing information with third parties, e.g WHO, still carries with it the responsibility on the part of the former to ensure that the latter can and will secure such information, especially if these are personal information of Filipinos,” Acedillo said.

This is not the first time that the health information of Filipinos was leaked online. Earlier, member data of Philippine Health Insurance Corp. (PhilHealth) was also uploaded to the dark web after the Medusa ransomware hacked the Philhealth office computers because Manila refused to pay ransom.

“The latest confirmed breaches resulting in the release of personal information on our citizens in the custody of the DOH, and previous to this, those in the custody of PhilHealth, highlights the need for heads of agencies and data protection and information security officers to heed the law and take these security and protective measures seriously.

“If necessary, the force of law must be emphasized, if only to demonstrate this seriousness and acknowledge the magnitude of the problem of a general lack of cybersecurity, sadly, even in government,” Acedillo said.

If the claim of the WHO is true, he added, “then the breach may have happened on the DOH’s end.”