PhilHealth: 13 Million Members Affected By Data Breach

At least 13 million Philippine Health Insurance Corp. (PhilHealth) members have been affected by the Medusa ransomware cyberattack.

“It is really in the millions. Initially, we can surmise that it covers about 13 million data. We are just completing analysis for us to have the complete information,” PhilHealth senior vice president and data privacy officer Nerissa Santiago said at a press conference on Wednesday, Oct. 18.

Santiago said between 600 to 800 PhilHealth employees’ data have also been leaked.

The employees have already been informed, while PhilHealth members are yet to be notified regarding their compromised information.

“Since the involved data subjects are very substantial in terms of number and we have just obtained the database from DICT (Department of Information and Communications Technology) last week, we are still processing and analyzing the data before we can come out with the individual notification,” she explained.

PhilHealth advised the public anew to take the necessary measures to secure their information, especially those online.

PhilHealth president and chief executive officer Emmanuel Ledesma Jr. said the agency is ready to undertake measures to prevent similar cyberattacks as he gave assurances that there would be no disruptions in their services despite the transfer of seven members of the agency’s executive committee (execom).

Health Secretary Ted Herbosa said the transfer of the seven PhilHealth execom members was prompted by the ransomware attack.

Ledesma, however, expressed sadness and surprise over the Board of Directors’ decision to re-assign the seven PhilHealth officials. Investigation, he said, should have been undertaken before the transfer.

But Ledesma said he respects the decision of the board for an “independent check on the management and its officers.”

The Board of Directors, he said, is yet to issue a directive on where the named officials will be transferred or reassigned.

Partners for digital security

The National Privacy Commission (NPC) and the DICT have partnered for the implementation of a digital security and privacy quick response (DSPQR) project.

In a statement on Wednesday, the NPC said the DSPQR project is an innovative complaint-handling system designed to swiftly address privacy violations and concerns.

The NPC added that the project will be integrated into the eGov application under the Government Digital Transformation Bureau.

“This groundbreaking collaboration represents a pivotal step towards ensuring the safeguarding of the digital security and privacy of every Filipino,” the NPC said.

Under the agreement, DICT will allocate resources for the project and establish a framework for regular reporting by NPC.

The NPC will actively engage as an implementing unit of the DICT, focusing on raising awareness, educating individuals and organizations about the project and highlighting its effectiveness in addressing privacy issues and cybersecurity threats.

The NPC will also triage cases involving cybersecurity threats, consumer-related concerns and data privacy issues monitored and reported through the Consumer Complaint Center, Contact Center ng Bayan, National Computer Emergency Response Team and the NPC.

“The project will empower us to swiftly address privacy concerns and violations, ultimately upholding every citizen’s right to privacy in this digital age,” said NPC Commissioner John Henry Naga.

“We also encourage our citizens to be vigilant and proactive in safeguarding their digital well-being. Report any privacy concerns or incidents promptly, as your active role is essential to our collective effort to ensure a safer and more secure online environment for every Filipino,” said DICT Secretary Ivan John Uy.

The DSPQR Project will be operational on Oct. 25.

Cybersecurity

Makati City Rep. Luis Campos Jr. is pushing for an additional P3 billion to build up the capabilities of the Cybercrime Investigation and Coordinating Center (CICC) amid the series of cybersecurity attacks on government websites.

“We must bolster the CICC with all the necessary cutting-edge technologies to swiftly produce actionable intelligence against all types of threat actors – from thrill seekers and hacktivists to cyber criminals and cyber terrorists,” he said.

House Minority Leader Marcelino Libanan and Rep. JC Abalos II filed House Resolution 1392, directing the House committee on information and communications technology to investigate, in aid of legislation, the cyber attacks on the websites of the state health insurer, Philippine Statistics Authority, Department of Science and Technology (DOST), House of Representatives and the Senate.

“The dangers of such leaks are manifold and may have long-lasting and grave repercussions, including the demand for ransom from the Medusa ransomware group,” Abalos said, refer-ring to the cyberattack against PhilHealth or Philippine Health Insurance Corp. on Sept. 22.

In a separate cyber attack on Oct. 15, hackers who identified themselves as the “3musketeerz” uploaded an image of the “Trollface” meme on congress.gov.ph’s Photo Journals section, bearing a warning that the site had been hacked.

Science Secretary Renato Solidum Jr. said on Wednesday they are looking into improving their data storage and information infrastructure systems after the DOST’s One Expert portal experienced a cyber attack last week.

Camarines Sur Rep. Luis Raymund Villafuerte Jr. suggested that the DICT and National Telecommunications Commission could invest in “cutting edge anti-virus software” and hire cyber security experts to strengthen the country’s digital infrastructure.

The CICC, which integrates the cybercrime-fighting divisions of the DICT, National Bureau of Investigation, Philippine National Police and the Department of Justice, has a budget of only P347.7 million this year.

In the 2024 National Expenditure Program, the center has only P320.8 million.

The Philippines could be incurring up to $3.5 billion, or nearly P200 billion, in economic losses every year due to cybercrime, according to San Antonio, Texas-based business consulting firm Frost & Sullivan. – With Catherine Talavera, Delon Porcalla, Rainier Allan Ronda