BPJS Health is the Health Social Security Organizing Agency which is responsible for administering health insurance programs for the Indonesian people. However, in the era of increasingly digitalization, user data leakage is a serious problem that must be handled seriously. User data leaks have become an increasingly disturbing issue in this digital era. One of the entities responsible for maintaining the confidentiality of user data is the Social Security Administering Agency for Health. This article aims to analyze BPJS Health's responsibility for leaking user data from a criminal law perspective. This research uses normative research methods with a statutory approach and related cases in its analysis. The research results show that leakage of user data by the Health Social Security Administering Agency can violate several criminal provisions as stated in Law no. 27 of 2022 concerning personal data protection and based on Law no. 11 of 2008 concerning Information and Electronic Transactions, especially in the context of violations of confidentiality and protection of personal data. It can be concluded that BPJS Health has criminal legal responsibility for user data leaks. To minimize the risk of data leaks, the Social Security Administering Agency for Health needs to improve system security and compliance with personal data protection regulations. Apart from that, the government needs to strengthen supervision and law enforcement in dealing with cases of data leaks involving public entities such as BPJS Health.