The Philippine Health Insurance Corporation (PhilHealth) is still reeling under the ransomware attack on its servers which occurred on September 22.
The attack has compromised data stored in its servers and local workstations.
PhilHealth's executive vice president and chief operating officer, Eli Santos said the agency failed to renew its antivirus software licenses last year, making its computer system outdated and vulnerable to cyberattacks, due to new government procurement rules.
"At the time, there were procurement issues. The reason was a strict compliance of rules and regulations, that’s why we were not able to update the system,” he said.
However, Santos clarified that “incident response” and antivirus systems are currently in place to fix the data breach.
Data exposed in dark web
The Philippines Department of Information and Communications Technology (DICT) earlier this week confirmed that hackers have begun exposing data including details on employees on the dark web after failing to get ransom money from the government.
DICT's Undersecretary Jeffrey Dy said that the Medusa ransomware group, responsible for breaching PhilHealth's system demanded a US$300,000 (S$409,799) ransom for the stolen data.
A CNN report citing Dy said the initial analysis revealed that among the information published were PhilHealth employees’ identification cards, including Government Service Insurance System IDs.
“In terms of PII (personal identifiable information), we saw some IDs, pictures, which we cannot ascertain at the moment if they are Philhealth employees, or members,” he added.
The official said these appear to be “teasers” from hackers, who might still be waiting for the government to accede to their demand.
Possible negligence
The Philippines National Privacy Commission (NPC) is further suspecting "possible negligence" in the handling of personal information and security by PhilHealth.
NPC's Chief of Complaints and Investigation Division, Michael Santos told ANC Digital that his team is monitoring the dark web for a possible dump of data of PhilHealth employees and members and also will "recheck" if any other servers are exposed to the attack.
DICT and PhilHealth have affirmed the members’ database containing private information, claims, contribution and accreditation details remain “intact” as they were stored in a separate database.
A clarification from PhilHealth said only the application servers and employees' workstations have been affected.
"Hence files stored in the hard drive of the infected workstations may have been compromised."
It added that an inventory is being conducted to determine the extent of information that may have been exfiltrated from these workstations.
PhilHealth urged the public to be cautious in opening malicious content online and on social media.
