Medusa hackers release stolen PhilHealth data
Hackers have started exposing some of the data retrieved from ransomware attack against the Philippine Health Insurance Corp. after a ransom of $300,000 to unlock the data was not paid.

Manila, Philippines — Filipinos should brace for a barrage of online scams in the coming days after hackers who stole data from state-run Philippine Health Insurance Corp. (PhilHealth) have leaked members’ information to online – and possibly criminal – groups.

Reports coming from dark web informants showed that documents stolen from PhilHealth were publicized in online marketplaces like Telegram starting yesterday.

Deep Web Konek, a group dedicated to publishing activities in the dark web, shared a screenshot showing large packets of files containing alleged information on PhilHealth members

As such, the group warned that PhilHealth members should be vigilant in the coming days. Data uploaded on the dark web are usually exploited by criminal groups involved in digital fraud ranging from messaging scams to identity theft.

Another report indicated that PhilHealth files in online marketplaces contain documents compressed in 160 folders. In total, these files amount to 600 GB of data.

The STAR reached out to the Department of Information and Communications Technology (DICT) for comment, but received no response.

Earlier, PhilHealth admitted that it has yet to determine the number of records taken by Medusa, but expressed belief that sensitive information were included in the ransomware attack.

These data include name, address, birthday, sex, mobile number and identification number.

PhilHealth has committed to notify members whose personal information was deemed compromised. The state-run insurer also asked contributors to take precautions right away, including monitoring their credit reports for unauthorized activities.

PhilHealth also said members should place a fraud alert on their credit reports. Contributors are also advised to change their passwords in all digital accounts, particularly in financial platforms, and keep an eye on phishing emails and smishing texts.

In a text message to reporters, the National Privacy Commission (NPC) said it is looking into the liability of PhilHealth in the data breach.

“As for PhilHealth’s liability, we are currently assessing whether negligence was involved on its part before making any definitive statements, but in addition to negligence we are also looking if there is concealment and possible imposition of administrative fines,” the NPC said.

Explanation at budget hearing

While the Senate has not yet initiated an investigation on the hacking of PhilHealth, officials of the state-run insurer should be made to explain the cyber security breach when they defend before lawmakers their proposed budget for 2024, Sen. Grace Poe said yesterday.

Although Congress is on recess, several Senate subcommittees continue to conduct hearings on the 2024 proposed budgets of various government agencies.

“Even if it is not investigated (by the Senate), I think it is necessary that we ask the hacking incident during the budget hearing,” Poe said during the Kapihan sa Manila forum on Wednesday.

Cyberhackers demanded $300,000 or approximately P16 million after the Medusa ransomware infected the systems of PhilHealth on Sept. 22, according to the DICT.

Poe cited reports that the hackers may have taken advantage of the expiration of PhilHealth’s anti-virus security software last May to carry out their plan.

“They did not subscribe to anti-virus and security software since May, that’s why they were hacked. I don’t think it is really an excuse for any government agency not to have security in their databases,” she said.

Poe said that even if PhilHealth did not have enough budget for a cyber security software, its officials should have used their revolving funds, or emergency procurement, which is allowed under the law. She said that unlike in the past, hiring of IT experts has now become necessary.

“One of the bills that I filed is that as part of the E-government Act with the digitalization of government agencies into one portal, all important agencies, government and critical establishments of private sector like media, telcos, etc. should have cyber security employees on duty all the time to thwart or address cyber attacks.”

Poe said agencies should have IT experts handling cyber security plan to ensure at least minimum IT compliance with cyber security regulations.

“Why was it (cyber security subscription) not prioritized? They let it lapse and didn’t pay the subscription. I am sure they have an IT manager there. They should be summoned, their database was not affected, but other information were stolen,” Poe said.

Sen. Bong Go, for his part, has reiterated his call for PhilHealth as well as other government agencies to bolster their cybersecurity defenses.

Go said the protection of data and the continuity of services, especially for the underprivileged, should be of utmost priority.

“First of all, we should not be complacent. Every detail of information is important and every second of delay in services can spell big problem for our countrymen in need,” Go said.

Go, chairman of the committee on health, urged PhilHealth to take immediate and stringent measures.

“We should have preventive measures so this kind of incident won’t be repeated. We must strengthen our cybersecurity,” he said.

The senator also stressed the importance of ensuring that PhilHealth’s services remain uninterrupted, especially for the poor.

“It’s not only PhilHealth that’s in danger here, but its members as well,” he said. He explained any investigation would need much input from the DICT and the National Privacy Commission (NPC).

Meanwhile, information and communications technology professionals have urged the government to hold the PhilHealth accountable for the cyber attack on its system.

The Computer Professionals’ Union (CPU) said the recent statements of PhilHealth and DICT highlighted the government’s lack of initiative to protect and secure sensitive and personal information.

“The fact that PhilHealth and the DICT initially downplayed the severity of the Medusa ransomware breach on its systems, especially its impacts on the people, speaks volumes about how the government treats people’s personally-identifiable information,” the group said in a statement.

“Now PhilHealth is stating that ‘only’ employees’ personal information have been affected, although it admitted that it is possible that the breached computers could also have information on PhilHealth’s members, which as of 2021 numbering 94 million or more than 80 percent of the country’s population,” the group said.

PhilHealth officials initially downplayed the breach by saying its main servers were secure after the attack.

One report also quoted an official as saying that the threat to release stolen information was only a bluff.

The DICT later confirmed that some information, primarily those on employees, were compromised in the incident.

PhilHealth issued a public advisory hours before the deadline set by the hackers expired.

The CPU said the PhilHealth data breach is just the latest in a series of incidents that highlight government’s ineptitude in handling people’s personal information.

It recalled the leak of information on police applicants and members early this year as well as the so-called “Comeleak” in 2016.

Belated alert

Infrawatch PH decried PhilHealth’s belated move to alert the public and demanded that it cooperate with investigators.

“This critical issue demands immediate and transparent action from all parties involved. No urgent public notices can replace comprehensive action,” said Terry Ridon, Infrawatch PH convenor and former party-list congressman.

“The notice from PhilHealth is insufficient. It leaves the public in the dark about the full extent of the breach and fails to outline a clear action plan for resolving the issue,” Ridon said.

“Attributing the failure to renew antivirus software to new government procurement rules is not just an excuse; it’s a dereliction of duty,” Ridon said. — Janvic Mateo, Rainier Allan Ronda