NHF Cyber Incident underscores urgent need for CyberSecurity Act – Brown

The cyber breach that saw Jamaicans’ health records at the National Health Fund (NHF) being exposed, likely by a hacker, makes it all the more important that the Government takes great care in protecting citizens’ personal data.

Cybersecurity has been very ambiguous in Jamaica, with the Government failing to be definitive and unsure as to a framework. This comes against the backdrop of increasing cyber crimes in Jamaica and people being unable to rely on privacy. This undermines the credibility of NIDS and makes people fearful of giving pertinent information about themselves. The duty of care remains on the Government’s shoulders and rather than mandate people to submit their details, they must demonstrate it can keep such information safe and confidential without some hacker easily able to get access to to it.

When a state agency like the NHF gets exposed in such a way, it is a cause for concern and should spur the Health Minister Dr. Christopher Tufton into immediate action.

Opposition Spokesperson on Science, Technology, Data and Digital Transformation, Christopher Brown makes the point that this is the reason why there is a need for a Cybersecurity Act.

Read his statement below: 

The reported cyber incident involving the National Health Fund underscores the urgent need for comprehensive cybersecurity legislation.

The Government must fast-track and table a Cybersecurity Act this calendar year, rather than delay until 2027.

The Minister of Health and Wellness has confirmed that individuals claiming to have accessed sensitive NHF information have contacted the agency. While the breach has not yet been fully verified, the matter has been referred to the Office of the Information Commissioner and the Major Organised Crime and Anti-Corruption Agency for investigation. The information reportedly involved, including beneficiary and medication data, represents some of the most sensitive personal information held by the State.

Just last week, in Parliament, I warned that Jamaica urgently requires a Cybersecurity Act to establish minimum security standards, accountability frameworks, and enforcement mechanisms across Government. The NHF incident underscores precisely why that legislation can no longer be delayed.

Government figures indicate that cyber incidents and attempted attacks have risen from approximately 12 million in 2022 to 49 million in 2025, reflecting a rapidly escalating threat environment targeting both public institutions and citizens’ personal data. Yet Jamaica still lacks a dedicated legislative framework requiring public bodies to meet baseline cybersecurity standards before an incident occurs.

Whilst the Government has suggested a timeline extending to 2027 for cybersecurity legislation, recent events make clear that this pace is wholly insufficient. The risks are immediate; our legislative response must reflect that reality.

I therefore renew my call for the Government to fast-track the drafting and tabling of a Cybersecurity Act without further delay. Every day without that framework is a day Jamaica’s citizens, institutions, and digital future remain unnecessarily exposed. The Government must act and it must act now.