PhilHealth Data Leak Updates; Not All Affected Members Notified of Hacking’s Extent

According to the Philippine Health Insurance Corporation (PhilHealth), not all members affected by the data breach incident involving the agency in September 2023, were made aware of the full extent of the breach.

During a House of Representatives hearing on July 8, 2024, the appropriations committee sought an update on the cybersecurity incident that affected 42 million of PhilHealth’s members. Marikina 2^nd District Representative Stella Quimbo inquired whether the agency had followed the procedures recommended by the National Privacy Commission (NPC) under the Data Privacy Law, which requires affected organizations to:

• Notify affected individuals within 72 hours
• Identify the data that was breached
• Understand how the breach occurred and the potential risks to affected individuals
• Inform members on how to protect themselves

In response, PhilHealth Executive Vice President Eli Santos noted that the organization has complied with the Data Privacy Act and has attempted to implement measures to inform its members through their Information Security Office. However, he added that he is not privy to the specific details of how the information was disseminated.  

Quimbo pressed further, asking whether each individual member had been made aware of the full extent of the incident and its implications. To this, Santos replied, “As to the individuals, Madam Chairperson, no.”

“No sir, it’s a very specific question. Yes, or no? There are 42 million individuals affected.  Do they know the four pieces of information that they should know?  Yes, or no?”

-Stella Quimbo, Marikina 2^nd District Representative

PhilHealth was then given a deadline to submit a status report by June 10, and to provide updates on their future actions by July 12.

“Okay, Attorney Santos, what is our plan for the 42 million individuals whose information is out there, that can be accessed by anyone at this point?  Is that right, is that the situation?  That the records compromised can be accessed?”

-Stella Quimbo, Marikina 2^nd District Representative

PhilHealth Data Breach: A Recap.

On September 22, 2023, the Department of Information and Communications Technology (DICT) announced that PhilHealth was hit by a Medusa Ransomware, affecting several systems and compromising confidential information and sensitive data to the public . According to initial reports, the hackers responsible for the attack have asked for $300,000 [PHP 17 million] in ransom for the stolen data, amounting to over 700 gigabytes, which PhilHealth refused to pay.

The files were initially released to on Dark Web on October 3, 2023, and made public through the Web and other platforms such as Telegram on October 5, 2023 – two days after the given deadline. Data Stolen from the ransomware attacks include:

• Names
• Addresses
• Birthdays
• Mobile numbers
• PhilHealth Identification Numbers
• Member contribution payment receipts

PhilHealth and DICT identified the outdated antivirus (AV) software and cybersecurity system as the vulnerability that made the attack possible. According to reports, the agency’s AV software had expired between April 15 to May 15, 2023, with the procurement of a new subscription reportedly delayed. This drew the attention of several lawmakers and the National Privacy Commission, citing negligence on the agency’s part.

PhilHealth’s Current Situation:

According to the DICT, PhilHealth’s system is currently protected with a backup antivirus system provided by the National Computer Emergency Response Team (NCERT).  

“At present, Madam Chairperson, I was informed that on a daily basis, PhilHealth is experiencing attempts on hacking, Madam Chairperson, but the current system that is in place now prevents such attacks from happening again, Madam Chairperson.  And again, thank you to DICT, Madam Chairperson,”

-Eli Santos, PhilHealth Executive Vice President

The NPC has also launched a website where PhilHealth members can enter their 12-digit numbers to verify if their data was included in the hacking incident.

Implications of Data Breaches

With the rising cases of data breaches in the Philippines, threat actors likely already have access to sensitive information of individuals and organizations such as names, addresses, credit cards, and bank account details. PSA emphasizes the dangers of data breaches, as threat actors who have access to your information can use this as leverage to sound more convincing in their “phishing” attempts. If you receive a call from your bank regarding an allegedly compromised account, consider hanging up and calling the bank directly to verify if it is a legitimate security alert.