The Philippine Health Insurance Corporation's (PhilHealth) initial analysis reveals personal data of 13 to 20 million individuals may have been compromised in the Medusa ransomware attack.
PhilHealth's data privacy officer, Nerissa Santiago said PhilHealth is yet to determine the numbers but expects around 13 million to 20 million may have been affected, including 600 to 800 of its employees.
“It is really in the millions...We are expecting some 13 to 20 million names. But we cannot say the exact number yet," she said.
Earlier on September 22, PhilHealth suffered a ransomware attack on its servers, with the hackers demanding a U$300,000 (S$410,207) ransom for the stolen data. Hackers exposed data on the dark web after failing to get ransom money from the government.
Santiago said the employees have already been informed, while PhilHealth members are yet to be notified regarding their compromised information.
“We have just obtained the database from DICT (Department of Information and Communications Technology) last week, we are still processing and analysing the data before we can come out with the individual notification,” she explained.
Cyber defence initiatives
As part of defence measures, PhilHealth is expecting the delivery of an anti-virus procurement demo licence this week.
The agency recently confirmed that it failed to renew antivirus software licenses due to new government procurement rules.
PhilHealth's senior IT manager, Nelson De Vera, said the organisation is now set to receive the new procurement license, valid for one year, at a cost of approximately 14 million Philippine pesos (S$ 338,000) which includes protection against various forms of malware and ransomware.
Philippines' National Privacy Commission (NPC) and DICT also announced a partnership to implement a digital security and privacy quick response (DSPQR) project across the nation.
NPC said the DSPQR project is an innovative complaint-handling system designed to swiftly address privacy violations and concerns.
It added that the project will be integrated into the eGov application under the Government Digital Transformation Bureau.
Under the agreement, DICT will allocate resources for the project and establish a framework for regular reporting by NPC.
The NPC will actively engage in raising awareness, educating individuals and organisations about the project and highlighting its effectiveness in addressing privacy issues and cybersecurity threats.
The project is likely to be operational from October 25.
