INDONESIA LAUNCHES INVESTIGATION, The curious case of BPJS healthcare agency data leak

(Photo: Doc. BPJS)

IO – The News of the hacking of private information of more than 200 million Indonesians has commanded public attention. It originated from an online post making the rounds on social media on Thursday (20/5/2021) claiming that the personal data of 279 million people had been stolen and sold off through hacking platforms called raidforums. 

The Communication and Information Ministry promptly conducted an investigation on this matter and found out that the information allegedly belongs to the Health Care and Social Security Agency (BPJS Kesehatan); it includes names, BPJS identity numbers, addresses, phone numbers and payment status. The sample data uncovered were 100,002, fewer than claimed. 

Previously, the BPJS Kesehatan Public Relations Department stated that the security of the big data stored on its server has been fully protected, as it has a strict and multi-layered data security system and has regularly coordinated with related parties to provide maximum data protection. To ascertain whether the source of the leak came from BPJS Kesehatan, its Board of Directors has deployed a special team to trace and find the source, in cooperation with the authorities. 

Of course, this data breach is a very serious matter, because it will have an impact on many operations. According to Williams and Sawyer (2007), data consists of raw facts and figures that are processed into information, and this information can be manipulated for use in decision-making. 

As a public institution, BPJS Kesehatan manages a huge and detailed data repository in support of its mandate to administer universal health coverage for the Indonesian public. According to Presidential Regulation No. 82/2018, all Indonesians are required to participate in the National Health Insurance (JKN) program managed by BPJS Kesehatan. The current number of JKN participants is around 222.4 million or about 82.37 percent of the total population. 

The data managed by BPJS Kesehatan is highly diverse, consisting of a variety of participation in the JKN Program, such as Recipients of Contribution Assistance (PBI) for the impoverished segment of the society, Earning Employees (PPU) and their family members, and independent Non-wage Recipients (BPU) and Non-workers (BP). 

PPU participation, according to article 4 paragraph (2) of the abovementioned presidential regulation, is comprised of state officials, heads and members of the Regional Legislative Councils (DPRD), civil servants, soldiers, policemen, village heads and village officials, private employees, and other salaried employees: contract-based government employees (PPPK) and non-civil servant workers (honorary teachers) are examples. 

BPU participants are workers outside a work relationship, or independent workers who are not salaried or wage recipients. Meanwhile, BP participants are made up of investors, employers, pensioners, veterans, independence heroes, widows, widowers, or orphans and/or orphans of veterans or independence heroes, and other premium-paying participants. 

The data points from these three types of participation vary. Personal information includes name, address, place and date of birth, citizenship identity number (NIK), family members on Family Card (KK), wage for PPU participants, bank account numbers for BPU participants, and fingerprints. Not only that, BPJS Kesehatan also manages health data for JKN participants, namely, civil society, police and military personnel and partner healthcare facilities. No other institution manages a database as large and detailed as BPJS Kesehatan. And it is highly confidential and must not be shared with any other parties. 

Support of Information Technology 

Given the trove of data in its possession, the management of JKN by BPJS Kesehatan must be bolstered by reliable information technology capabilities, in the form of applications that can facilitate the registration process, healthcare services, complaints and other services related to partner institutions in its ecosystem. 

To ensure its efficiency and effectiveness, BPJS Kesehatan has numerous information systems tailored to the participants’ needs such as the Participant Management System, Public Service System, and Healthcare Guarantee Management System. 

With regard to the Participant Management System, BPJS Kesehatan has six applications. First, Mobile JKN, available on Android and IOS platforms. This is used for registration of new BPU participants, switching healthcare facilities, checking due premiums, payment history, contacting healthcare facilities, screening health history, queue registration, checking availability of beds and operating schedules, and other information. 

Second, the web-based BPJS Checking application. Participants can be used to check premiums due, via the website. Third, e-Dabu application that business entities can use to register their employees, change service classes, check due premiums, etc. Fourth, BPJS Admin application, where participants can print their e-ID. Fifth, Registrasi Badan Usaha (Business Entity Registration) application, where business entities can register themselves to become participants. And sixth, Portal Bersama (Joint Portal) which business entities can use to register themselves as both participants of BPJS Kesehatan and Workers Social Security Agency (BPJS Ketenagakerjaan). 

Moreover, as part of its Public Service System, BPJS Kesehatan has a website, exodus (mudik) application, Jamkesnews Portal, Aplicares application, and Web Screening. These applications serve as the means for the public to retrieve information about the JKN and BPJS Kesehatan programs. 

BPJS Kesehatan also has a Healthcare Guarantee Management System which consists of eight applications – Health Facilities Information System (HFIS), Pcare-Eclaim, vClaim, finger print, queue, INACBGs (LUPIS), Online Pharmacy, and Covid-19 Claim. These applications are all linked to the healthcare guarantee system of healthcare facilities that have collaborated with BPJS Kesehatan, which include the credentialing and recredentialing process, information about healthcare providers (facilities, medical personnel, cooperation agreement between BPJS Kesehatan and hospitals), claim filing process, etc. 

From these applications, we can appreciate the enormity of data managed by BPJS Kesehatan, which includes not only participants’ personal information but also the medical histo

ry of Indonesian population and healthcare facilities, to participating business entities. 

Given how important and sensitive the data is, BPJS Kesehatan must ensure that their applications are secure to prevent misuse by malign actors. As the data is highly confidential, no other party should have access to it. 

The basis for the incorporation of Information Technology (IT) in the BPJS management system has been laid out through BPJS Kesehatan Director Regulation No. 4/2018, which stipulates the implementation of all applications linked to the JKN program. 

To incorporate the use of information technology, there are several IT frameworks and standards implemented by BPJS Kesehatan. First, Control Objectives for Information and Related Technology (COBIT) developed by the IT Governance Institute to assist BPJS Kesehatan in assessing its IT system, the capability of which was benchmarked using COBIT 5 standard in 2020. 

Second, the IT Infrastructure Library (ITIL) developed by the Office of Government Commerce (OGC) to assist an organization in providing good governance for IT operations and meeting user expectations. Third, the globally-recognized ISO 27001 for Information Security Management System (ISMS) and ISO 20000 for IT Service Management System. BPJS has received both ISO certifications from the British Standards Institution (BSI). 

These IT governance frameworks and standards show that BPJS Kesehatan has taken necessary measures to ensure the management and security of its applications. However, the data breach also demonstrates that something is amiss. And this is a problem. 

The data breach could be the work of hackers who were able to exploit weakness in the system, showing that many of the BPJS Kesehatan’s applications aren’t well-protected. Or, it could also be the work of insiders who intentionally leaked the data to an outside party. This points to the lack of oversight on the part of the data manager. 

Of the two possibilities, I tend to believe that the former is more likely, given the increasingly sophisticated capabilities of information technology, and with it the evolution of hackers’ skills. That being said, the latter cannot be ruled out and must be investigated. 

Data is very important and economically valuable. The trove of data managed by BPJS Kesehatan can be possibly used to map out the health and economic status of the Indonesian demography. This includes the health status of our police and military force who are tasked with maintaining national security and defense. 

The data breach can also relate to the current vaccination drive. The Indonesian government is in the midst of a campaign to accelerate the vaccination coverage for 181 million Indonesians, funded through the state budget (APBN) and regional budgets (APBD) as well as a private vaccination scheme known as the Gotong Royong (Mutual Cooperation) Vaccination program. Of course, BPJS Kesehatan data can also reveal the condition of vaccine recipients in Indonesia, such as age, line of work, wage, and other data. 

If the data is accessed by other parties with malign intentions, it could pose a threat to our nation as it can reveal the stages of vaccination carried out by the government and the ability of companies to carry out the private vaccination scheme. 

If it is later proven that the data was indeed hacked, then securing BPJS Kesehatan applications must take precedence. And this should be supported by a sufficient budget, considering that information technology is costly. 

The budget allocated for information technology spending in 2020 by the BPJS Kesehatan Board of Directors was Rp161.63 billion or 3.69 percent of total, and the realization was Rp157.93 billion. Surely this is relatively small, and must be increased to at least by 8-10 percent, considering the depth and breath, as well as sensitivity of data managed by BPJS Kesehatan. 

More budget should be allocated for maintenance, capacity, audit and security improvement, to make it more secure. Audits should be conducted on a regular basis for all matters, involving the government, in this case the Communication and Information Ministry and the police. 

To streamline the service and maintenance, it is best if the existing BPJS Kesehatan applications can also be simplified so they can be more effective and efficient. Participant management applications, for example, can be merged into one for all types (PBI, PPU and BPU). Likewise, the number of applications for public service management and healthcare guarantee management can be combined. 

The ongoing investigation jointly conducted by the Communication and Information Ministry, the police and BPJS Kesehatan to pinpoint the source of the leak, the type of data leaked, existing applications, to parties responsible for managing the data should reveal the structural problem at the heart of the matter. 

This investigation must also be able to reveal the motivation of the perpetrators, whether it is simply an economic crime or there are more sinister plots underway, such as political or geopolitical motives. The culprit must be exposed to the public and brought to justice. 

Meanwhile, JKN participants whose personal information is part of the leaked data and who consider it as a breach of privacy can file complaints and even civil lawsuit to BPJS Kesehatan in the District Court, according to Article 48-50 of Law No. 24/2011 on the National Social Security System. 

This case must be solved as swiftly as possible by the government, to ensure that the investigation process doesn’t lose momentum, considering that information technology crimes are so sophisticated and it is relatively easy to eliminate traces and evidence. Otherwise, this can happen again in the future – not just personal information but also people’s medical history. This is will set a very dangerous precedent. 

The joint investigation team must synergize with each other and be open and transparent in the process, especially on the part of BPJS Kesehatan. To ensure this, the House of Representatives and the general public can exercise their oversight function. 

Lesson learned and anticipation 

The alleged breach of BPJS data could also potentially occur in ministries/agencies or other private institutions that manage public data. Information technology-based data management has become a necessity in order to support the effectiveness and efficiency of services to the public. As such, many of the applications used can be hacked by other parties. 

With this alleged data breach, institutions that manage public data should increase their vigilance, so the same thing doesn’t happen to them. Other similar institutions that manage public data, especially workers’ data, are the Manpower Ministry, BPJS Ketenagakerjaan, Preemployment Card Management Office, etc. 

The Ministry of Manpower manages the Manpower Information System (Sisnaker), a digital ecosystem that serves as a platform for all types of public services and activities in the field of manpower, both at the central and regional levels. Similarly, the data collected by this application is also very broad and comprehensive. This poses a hacking threat if the application’s security is not strengthened. 

BPJS Ketenagakerjaan, on the other hand, manages data on five social security programs, namely Occupational Accident Benefits (JKK), Death Benefits (JKm), Old-age Benefits (JHT), Pension Benefits (JP), and Retrenchment Benefits (JKP). BPJS Ketenagakerjaan and BPJS Kesehatan also share a joint portal for employer registration. This in itself increases the hacking risk. 

BPJS Ketenagakerjaan has four types of participants, namely, Earning Recipients, Non-earning Recipients (independent participants), Indonesian Migrant Workers (PMI), and Construction Workers. The data includes personal information of the workers and their families, wage, companies employing them, the amount of managed funds and investment returns and types of investment instruments for placement of workers funds. 

In highlighting this incident, the Communication and Information Ministry should also audit applications relied on by other institutions that manage public data, such as the ones mentioned above, and improve their quality and security. Hopefully, the public data can remain secure and not be misappropriated by malign actors wishing to exploit a vulnerability. (Timboel Siregar)

Timboel Siregar, SSi, SH, MM is an observer of social security systems. He graduated from the Bogor Institute of Agriculture (IPB) majoring in Statistics in 1994. Since 2010, he has been active in BPJS Watch and as Secretary General of Indonesian Workers Organization (OPSI). He furthered his study in Human Resource Economics at Trisakti University. Since 2015, he has been a national trainer for industrial relations with the Ministry of Manpower. He is a prolific opinion writer/contributor to many national media and is often nvited as a speaker on campuses.