Medusa Hackers Release Stolen PhilHealth Data

Filipinos should brace for a barrage of online scams in the coming days after hackers who stole data from state-run Philippine Health Insurance Corp. (PhilHealth) have leaked members’ information to online – and possibly criminal – groups.

Reports coming from dark web informants showed that documents stolen from PhilHealth were publicized in online marketplaces like Telegram starting Thursday, Oct. 5.

Deep Web Konek, a group dedicated to publishing activities in the dark web, shared a screenshot showing large packets of files containing alleged information on PhilHealth members.

As such, the group warned that PhilHealth members should be vigilant in the coming days. Data uploaded on the dark web are usually exploited by criminal groups involved in digital fraud ranging from messaging scams to identity theft.

Another report indicated that PhilHealth files in online marketplaces contain documents compressed in 160 folders. In total, these files amount to 600 GB of data.

The Philippine STAR reached out to the Department of Information and Communications Technology (DICT) for comment, but received no response.

Earlier, PhilHealth admitted that it has yet to determine the number of records taken by Medusa, but expressed belief that sensitive information were included in the ransomware attack.

These data include name, address, birthday, sex, mobile number and identification number.

PhilHealth has committed to notify members whose personal information was deemed compromised. The state-run insurer also asked contributors to take precautions right away, including monitoring their credit reports for unauthorized activities.

PhilHealth also said members should place a fraud alert on their credit reports. Contributors are also advised to change their passwords in all digital accounts, particularly in financial platforms, and keep an eye on phishing emails and smishing texts.

In a text message to reporters, the National Privacy Commission (NPC) said it is looking into the liability of PhilHealth in the data breach.

“As for PhilHealth’s liability, we are currently assessing whether negligence was involved on its part before making any definitive statements, but in addition to negligence we are also looking if there is concealment and possible imposition of administrative fines,” the NPC said.

Explanation at budget hearing

While the Senate has not yet initiated an investigation on the hacking of PhilHealth, officials of the state-run insurer should be made to explain the cyber security breach when they defend before lawmakers their proposed budget for 2024, Sen. Grace Poe said on Thursday.

Although Congress is on recess, several Senate subcommittees continue to conduct hearings on the 2024 proposed budgets of various government agencies.

“Even if it is not investigated (by the Senate), I think it is necessary that we ask the hacking incident during the budget hearing,” Poe said during the “Kapihan sa Manila Bay” forum on Wednesday, Oct. 4.

Cyberhackers demanded $300,000 or approximately P16 million after the Medusa ransomware infected the systems of PhilHealth on Sept. 22, according to the DICT.

Poe cited reports that the hackers may have taken advantage of the expiration of PhilHealth’s anti-virus security software last May to carry out their plan.

“They did not subscribe to anti-virus and security software since May, that’s why they were hacked. I don’t think it is really an excuse for any government agency not to have security in their databases,” she said.

Poe said that even if PhilHealth did not have enough budget for a cyber security software, its officials should have used their revolving funds, or emergency procurement, which is allowed under the law. She said that unlike in the past, hiring of IT experts has now become necessary.

“One of the bills that I filed is that as part of the E-government Act with the digitalization of government agencies into one portal, all important agencies, government and critical establishments of private sector like media, telcos, etc. should have cyber security employees on duty all the time to thwart or address cyber attacks.”

Poe said agencies should have IT experts handling cyber security plan to ensure at least minimum IT compliance with cyber security regulations.

“Why was it (cyber security subscription) not prioritized? They let it lapse and didn’t pay the subscription. I am sure they have an IT manager there. They should be summoned, their database was not affected, but other information were stolen,” Poe said.

Sen. Bong Go, for his part, has reiterated his call for PhilHealth as well as other government agencies to bolster their cybersecurity defenses.

Go said the protection of data and the continuity of services, especially for the underprivileged, should be of utmost priority.

“First of all, we should not be complacent. Every detail of information is important and every second of delay in services can spell big problem for our countrymen in need,” Go said.

Go, chairman of the committee on health, urged PhilHealth to take immediate and stringent measures.

“We should have preventive measures so this kind of incident won’t be repeated. We must strengthen our cybersecurity,” he said.

The senator also stressed the importance of ensuring that PhilHealth’s services remain uninterrupted, especially for the poor.

“It’s not only PhilHealth that’s in danger here, but its members as well,” he said. He explained any investigation would need much input from the DICT and the National Privacy Commission (NPC).

‘Hold PhilHealth accountable’

Meanwhile, information and communications technology professionals have urged the government to hold the PhilHealth accountable for the cyber attack on its system.

The Computer Professionals’ Union (CPU) said the recent statements of PhilHealth and DICT highlighted the government’s lack of initiative to protect and secure sensitive and personal information.

“The fact that PhilHealth and the DICT initially downplayed the severity of the Medusa ransomware breach on its systems, especially its impacts on the people, speaks volumes about how the government treats people’s personally-identifiable information,” the group said in a statement.

“Now PhilHealth is stating that ‘only’ employees’ personal information have been affected, although it admitted that it is possible that the breached computers could also have information on PhilHealth’s members, which as of 2021 numbering 94 million or more than 80 percent of the country’s population,” the group said.

PhilHealth officials initially downplayed the breach by saying its main servers were secure after the attack.

One report also quoted an official as saying that the threat to release stolen information was only a bluff.

The DICT later confirmed that some information, primarily those on employees, were compromised in the incident.

PhilHealth issued a public advisory hours before the deadline set by the hackers expired.

The CPU said the PhilHealth data breach is just the latest in a series of incidents that highlight government’s ineptitude in handling people’s personal information.

It recalled the leak of information on police applicants and members early this year as well as the so-called “Comeleak” in 2016.

Belated alert

Infrawatch PH decried PhilHealth’s belated move to alert the public and demanded that it cooperate with investigators.

“This critical issue demands immediate and transparent action from all parties involved. No urgent public notices can replace comprehensive action,” said Terry Ridon, Infrawatch PH convenor and former party-list congressman.

“The notice from PhilHealth is insufficient. It leaves the public in the dark about the full extent of the breach and fails to outline a clear action plan for resolving the issue,” Ridon said.

“Attributing the failure to renew antivirus software to new government procurement rules is not just an excuse; it’s a dereliction of duty,” Ridon said.

“The PhilHealth breach raises serious questions about the security of other government databases. If a database as extensive as PhilHealth’s can be compromised, it casts doubt on the security measures in place for other government systems,” Ridon pointed out.

Data protection groups have offered to help PhilHealth ease the impact of the cyber attack.

The National Association of Data Protection Officers of the Philippines (NADPOP) and the Philippine Computer Emergency Response Team (PH-CERT) made the offer in a joint statement.

“If PhilHealth needs unbiased third-party support, we have volunteers who are ready to assist in digital forensics and in the data management breach of the agency,” the groups said.

NADPOP and PH-CERT said they are bringing to the table a third-party perspective on the matter, and that they are willing to coordinate with the DICT and the NPC, which are investigating the data breach.

PH-CERT president Angel Averia Jr. said it is safe to assume that PhilHealth has compromised sensitive data and left them exposed to criminal groups.

NADPOP president Sam Jacoba warned that the PhilHealth data leak could be worse than the one that hit the Commission on Elections in 2016.

Jacoba said all workers are enrolled in PhilHealth as mandated under Republic Act No. 11223 or the Universal Health Care Act, unlike in Comelec, which only has data on registered voters.

As of 2022, PhilHealth maintains a network of 59.03 million members made up of 35.31 million direct contributors and 23.72 million indirect contributors.

Preliminary investigation from the NPC showed that the ransomware attack exposed the IDs and photos of some PhilHealth members.

PhilHealth admitted as well that the data breach has leaked the mobile numbers of affected contributors. – With Janvic Mateo, Rainier Allan Ronda