Cybersecurity Updates: PhilHealth Compromised by Medusa Ransomware

According to the Department of Information and Communications Technology (DICT), the Philippine Health Insurance Corporation (PhilHealth) was hit by Medusa Ransomware on September 22, affecting several systems and compromising data. Hackers responsible for the attack have asked for $300,000 or P17 million pesos in ransom for the stolen data. DICT Undersecretary Jeffrey Ian Dy notes that the ransom is in exchange for accessing the stolen data again, preventing data-publishing to the public, and providing the DICT with a copy. 

In response to the data breach, PhilHealth shut down several online systems including its website, the Health Care Institution (HCI) member portal, and e-claims. According to the official statement from PhilHealth, “While the investigation is being undertaken, affected systems shall be temporarily shut down to secure our applications”.  

According to the DICT, they are closely working with PhilHealth and an outsourced cybersecurity vendor to deal with the security breach, which has been labeled as “under control” as the infected systems have already been identified, which servers attacked PhilHealth, and how the data was compromised. “As of this moment, as per our investigation or checking, the PhilHealth [members] databases are safe and secure,” Undersecretary Dy said.  

The DICT warns that this specific ransomware is a worldwide threat, with several groups having been associated with or identified as Medusa. According to Undersecretary Dy, “Medusa ransomware is now an active threat not only to the Philippines but also worldwide.”  

The DICT recently released a technical advisory on the Medusa Ransomware which can be found here.