PhilHealth malware attack caused transaction data leak, but members' database unaffected —DICT

The Department of Information and Communications Technology (DICT) on Friday said that the transaction data of some members of Philippine Health Insurance Corp. (PhilHealth) were leaked following a recent ransomware attack. 

DICT, however, clarified that PhilHealth members' database was not affected by the cyberattack. 

In an interview on Super Radyo dzBB, DICT Undersecretary Jeffrey Dy said their analysis showed that there were no remnants of the Medusa malware in the members' database.

“As per our analysis… hindi naman talaga tinamaan yung tinatawag nating members' database ng PhilHealth [as per our analysis… the members' database of PhilHealth was not really affected],” said Dy.

“Paano ka makakasigurado na walang members data? Actually sa analysis din namin, na nakita namin sa mga leaked data, meron. Hindi nga lang lahat. Hindi lang lahat ng members’ data,” added Dy.

[How can we be sure that there were no members' data? Actually, in our analysis, we saw that there were leaked data. But it’s not everyone. It’s not all the members’ data.]

Dy also said that the transactional data may have come from transactions between PhilHealth and hospitals.

“Kadalasan may mga kausap na ospital, malamang si PhilHealth. Syempre nung may mga kausap sila, may mga worksheet silang tina-trabaho sa kanilang mga computer at yun ang hawak ngayon ng Medusa ransomware,” the undersecretary said.

[Oftentimes, hospitals communicate with other offices, most likely PhilHealth. Of course, if they are talking, they have worksheets on their computers, and that data is now with the Medusa ransomware.]

On Thursday, the DICT said the Medusa ransomware group uploaded a copy of over 600 gigabytes of files from PhilHealth to a website and a Telegram channel after 4 p.m. on October 5, two days after the deadline for a ransom payment of about $300,000, or approximately P17 million, expired.

A video of the leaked information showed photos, bank cards, and transaction receipts of the victims, among others.

According to Dy, there is also no indication that the hacking was an inside job.

“Nakita namin ang pinasok is ano eh, an external site tapos nandodoon sila sa isang computer for three months and then unti-unti silang gumapang. Matyaga ‘yung trabahong ito. Unti-unti silang gumapang and then one day, biglang sabay-sabay silang nag-activate,” he said.

[We saw that they entered an external site and they stayed in one computer for three months and slowly spread out. Then one day, it simultaneously activated.]

He also assured that PhilHealth has now added cyber security measures to its website. 

“We assure the public that PhilHealth is now more secure but if we reach an acceptable level of security, then we’re still working on it,” he said.

The DICT previously urged PhilHealth employees and members to change their passwords in their online accounts. —VAL, GMA Integrated News