The Philippine Senate’s and Congress’s recent investigations of the Philippine Health Insurance Corporation (PhilHealth) are a series of horrific parades of official corruption from the very top to bottom. PhilHealth was created in 1995, under R.A. 7875, and as amended by R.A. 9241, to implement universal health coverage in the Philippines. Its creation transferred to it all the assets and functions of the former Philippine Medical Care Commission (PMCC), without need of conveyance, transfer or assignment (COA report, 2013). PhilHealth is the sole legal health insurance provider of all Philippine citizens, who, as of September 18, 2020, number 109,904,415, based on the Worldometer elaboration of the latest United Nations data (https://www.worldometers.info/world-population/philippines-population/).
Since my blog concentrates on cyber law issues, I would only discuss the matters which the legislators have not meticulously scrutinized concerning the I.T. systems of this agency and the actuations of their I.T. officials and management with respect to their I.T. programs, to enrich the discussion and contribute to the awareness of their importance.
However, to give the readers who may not be aware of the extent of the corruption in this agency, the catalogue of illegal acts run the gamut of:
granting its officials and employees unlawful special bonuses and allowances from accreditation fees;
charging the taxes that their employees and officials should pay out of their salaries, to the PhilHealth’s expense accounts, which are government funds that are supposed to be spent for the members’ benefits;
re-enrolling the dependents of its members, i.e. their spouses and children, as new members and claimants of benefits, to hide about P 30 billion (US$ 612 million) unaccounted Philhealth funds, including the P 10.6 billion (US$ 216.33 million) allocated for the senior citizens’ fund that were diverted allegedly for election purposes;
the non-remittance of premium payments of overseas contract workers made possible through the fake PhilHealth receipts scheme; the creative misappropriation of some of the agency’s officials and their cronies in certain hospitals all over the Philippines, which have resulted in grossly misdeclaring medical findings and diseases to upcase the medical charges; and
taking advantage of the real current pandemic to overprice test kits and services, based on the unreasonable all case rate schemes, charged against the PhilHealth funds which have led some of this agency’s officials to declare the possible emptying of its coffers by 2021 or 2022.
The investigations have also revealed that PhilHealth allowed certain health care institutions from claiming non-COVID 19 expenses from the interim reimbursement mechanism (IRM) which was supposed to address the needs of the patients of the pandemic. The legal basis of the IRM had been repeatedly challenged by the Senators and the Congresspersons which led PhilHealth’s recently resigned SVP for Legal, Atty. Del Rosario to admit that the IRM itself is illegal! Most alarmingly, Congressman Abante, citing a source, stated that the PhilHealth corrupt officials and employees have taken as much as P 154,000,000,000 (US$ 3.14 billion) from the Philippine people!
DISCLOSURE: THE DISAPPEARANCE OF MY PHILHEALTH CONTRIBUTIONS COVERING OVER 8 YEARS
Even in its inception, PhilHealth has not been able to faithfully record, legally account and steward all of its members’ contributions, like mine in particular. I worked in the judiciary from 1993 to 1995. When I transferred to Ernst & Young, LLP, Philippines in the latter part of the 90’s, I found out that none of my previous PMMC or medicare contributions were ever recorded by PhilHealth, despite the fact that these were automatically deducted by the government from my salary, and by law should have been transferred to, and accounted for by PhilHealth. I left the country twice, and when I finally came back to the Philippines the second time, and started working in 2008, I found out that none of my PhilHealth contributions from 1997 to 1998 and from 2001 to 2003 when I worked in the private sector, existed in the PhilHealth records. These contributions were again remitted by the companies I worked with, with PhilHealth. I complained about this on several occasions from 2008 to 2011, and the reasons given to me by the PhilHealth officers and employees I complained to, are their faulty computer system with glitchy databases. I no longer have the individual payslips given to me by my Philippine employers for over 8 years to support my claims, which were asked. Effectively, over 8 years of payroll deductions for PhilHealth contributions from my salary vanished, hoodwinked by the buggy PhilHealth I.T. system and highhanded officials and employees whose sole response to complaining PhilHealth members was to file cases against them. My current and sole record of PhilHealth contributions only start in the year 2008! THE DAMNING COMMISSION ON AUDIT (COA) REPORTS ON PHILHEALTH’S IT SYSTEM Several annual COA reports have highlighted the PhilHealth’s overpricing and defective IT systems, mismanagement of the data in its IT systems and mismanagement of IT funding. In 2012, COA reported that the failure of PhilHealth to complete the documentation and update the data of its members in its IT system caused the accumulation of unclaimed benefit payments totalling to P 250.15 million (roughly $US5.6 million). More than 22,000 checks covering this amount became stale. It resulted in the overstatement of the agency’s “Other Payables”, but what is interesting is that this amount was never returned to the agency’s cash account, that made its Cash in Bank and Accounts Payable Benefit understated by P 98.11 million (around US$2.8 million). It was never made specifically clear in the COA 2013 report if the unreverted amount was returned. In 2018, the COA report noted the crucial lack of fraud detection mechanisms, tools and safety nets in the agency’s Electronic Claims System, contrary to P.D. 1445, that made it possible for Health Care Institutions to raise and claim spurious and fraudulent claims, which can lead to loss of government funds and member contributions. When the current PhilHealth Senior Vice President (SVP) for I.T. and Chief Information Officer (CIO), Jovita Aragona, was hired in June 2015 (As payouts rise, PhilHealth turns to data, Medha Basu, [https://govinsider.asia/innovation/as-payouts-rise-philhealth-turns-to-data/]), the COA came out with a particularly damning report specifically honing on the defective PhilHealth’s I.T. system, and deficient I.T. policies and implementation. The 2015 COA report (covering up to the end of December 2015) highlighted the following: There is no proper, prompt, accurate, proactive posting of current members and their contributions, remittances and availment of benefits; There are no validation routines “during data entry to reject null values and improbable birth dates”; The COA report stated “(w)e recommended that Management initiate the establishment of data library, thus, ensuring the accountability, integrity, reliability, and availability of the files when needed”. It must be stressed that PhilHealth has been operating since 1995. The COA report made it very clear with the use of the word “initiate”, that since 1993 to 2015, PhilHealth has NO reliable, NO available paper based and computerized data library of its members and their contributions, that had the characteristics of accountability and integrity! It also noted the fact that PhilHealth had no policy in updating and correcting whatever database it had at that time, and recommended the creation of such policy and the development of a system interface in its I.T. system that would permit the correction and updating of its database! PhilHealth has insufficient and outdated I.T. policies, standards, guidelines and procedures, and Office Orders that reflect these, which cause confusion, and certainly cannot “ensure the protection of its sensitive critical resources and the integrity of its information”. Since its inception, PhilHealth apparently had not conducted a penetration test and vulnerability scan of its I.T. systems! PhilHealth has no policies and procedures on network configuration, which COA believed could minimize configuration errors, downtime, and streamline the processes for its IT system’s maintenance, repair, expansion, and upgrading; There is “(n)o annual inventory and central depositary for computer media”. The I.T. systems developers/documentation group do not complete and submit systems documentations, which can be a means to perpetrate fraud. PhilHealth employees were not restricted from running from executable files, and from downloading and uploading unauthorized software from, and into the PhilHealth computers, which can be the cause for computer breaches and cybercrimes within PhilHealth! The same COA report decried the fact that PhilHealth had no policy and procedures on the “proper management and safekeeping of back up tapes”. The COA report on this matter was couched on the terms “(w)e recommended that Management pursue the creation of policies and procedures…” which meant the absence of these policies and procedures in the first place. The COA discovered that PhilHealth maintains two separate sets of databases of its members, one in its Server room, the other in its Data Center. These two databases are not synchronized in real time, so they are not mirror images of one another, and the I.T. equipment and software used in the Server room are subpar with that in the Data Center. Finally, and quite alarmingly, PhilHealth does not maintain an offsite database center that would act as a back-up storage, and complete mirror copy of all the data of PhilHealth’s members. This is crucial because in the instance of data security breaches and failure of data recovery due to virus corruption, or in the event of electromagnetic pulse attacks, without the offsite database, PhilHealth’s records of all its members can disappear, making it very difficult or impossible to continue its operations. It is not clear from the succeeding annual COA reports, that are publicly available on the COA website, if all these issues were addressed by PhilHealth. But, anyway, as evident from the proceedings in the Senate (which ended last August 18, 2020) and Congress (which terminated in September 2, 2020), most, if not all of the COA observations on the IT system of PhilHealth had not been addressed by senior management. All of these explain why member contributions like mine, had significant current unaccountable gaps that can only be attributed to the gross and criminal nonfeasance of the PhilHealth’s management, including their IT officials and staff.