PhilHealth pressed more to explain data theft, leakage
COMPUTER BREACH PhilHealth’s operations revert to manual after its website and computer systems were hacked on Sept. 22. —GRIG C. MONTEGRANDE
The Philippine Health Insurance Corp. (PhilHealth) still has a lot of explaining to do regarding the extent and repercussions of the Medusa ransomware attack last month that led to the reported leak and possible sale of the personal data of its employees and members.
Members of the Makabayan bloc at the House of Representatives on Friday called for an inquiry into the Sept. 22 cyberattack on the state health insurer. Another lawmaker described it as a “clear and present danger” faced by PhilHealth members.
The three-member bloc also pressed concerned government agencies to give a public briefing on the matter and fully disclose the findings of their respective investigations.
In House Resolution No. 1350, the Makabayan lawmakers asked the House information and communications technology panel to conduct the investigation in aid of legislation related to cybersecurity, centering on the leak of personal data of PhilHealth employees and members.
“PhilHealth must be compelled to fully explain the extent of the data breach and to put in place stronger security measures following the ransomware attack,” they said in the resolution.
They warned that the public release of sensitive personal data of PhilHealth employees and members on the dark web will endanger their security, since such personal information may be used in scams, identity theft or phishing.
DICT disclosure
PhilHealth’s services and transactions were done offline for several days before its website was finally restored on Sept. 29.
However, the Department of Information and Communications Technology (DICT) said the Medusa ransomware group uploaded over 600 gigabytes of files to the dark web and a Telegram channel on Oct. 5, two days after the deadline for the payment of the P17-million ransom demanded by the hackers.
The leaked data included photos, bank cards and transaction receipts of premium payments of affected victims, with the leaked documents showing the payee’s full name and 12-digit PhilHealth identification number.
The DICT warned the public to be careful against spam texts, scams and phishing, and to enable two-factor authentication in their accounts.
PhilHealth said it was working to notify those affected by the cyberattack and advised affected members to monitor their credit reports for any unauthorized activity and place fraud alerts on their credit reports.The public was also advised to change their passwords in their online accounts, especially financial accounts, and be wary of phishing emails and smishing text messages.
PhilHealth has partly blamed the cyberattack on its failure to renew its antivirus software licenses last year because of new rules set by the Government Procurement Policy Board (GPPB).
No means to verify
Asked on Friday to comment on reports that the stolen data had already reached the dark web and possibly being sold at this point, Rey Baleña, PhilHealth senior manager for corporate communications, said: “We don’t have the capacity to verify it.
But Balena spoke at length about the company’s plan to procure “next week” a new antivirus software after it failed to get a “compliant” bidder last year.PhilHealth has “expedited the process of rebidding, and we are looking at the issuance of ‘notice to proceed’ by next week,” he told the Inquirer.
READ: PhilHealth: Some members’ data compromised by system breach
He said Resolution No. 06-2022—and not Resolution No. 05-2022 as earlier reported—which sets the guidelines on the renewal of regular and recurring procurement items, was the new rule of the GPPB that barred PhilHealth from renewing its antivirus software license.Under Resolution No. 06 issued last year, the “duration of each renewal contract shall not exceed one year.”
“However, the total combined period covering the original contract, renewal and contraction extension/s, if applicable, shall not exceed three years,” it added.
“The new GPPB policy affected us in terms of renewing our contract … [so] instead, we had to resort to procuring again given the maximum time period that the new policy provides for renewals and extensions,” Baleña said.
But the first bidding attempt, said Baleña, had “failed due to issues on supplier compliance to some technical aspects.”The PhilHealth official made the clarification after the Inquirer reported that the state insurer pointed to new procurement rules as the reason behind its outdated antivirus software, making its online systems an easy target for malwares.
PhilHealth has maintained since the data breach was made public that no sensitive information about its members had been compromised—but only those found on some of its employees’ workstations.
But it issued an “urgent advisory” on Oct. 2 suggesting that hackers may have already gotten hold of personal information—name, address, birthdate, sex, phone number and PhilHealth identification number—of some members.
‘Deeply worrisome’
Sharing the Makabayan bloc’s concerns, Bohol Rep. Kristine Alexie Tutor said the cyberattack was “shocking and deeply worrisome” and a “clear and present danger to the health security of all PhilHealth members.” “We can no longer be complacent and have a false sense of security that cyberattacks and ransomware incidents happen only in Europe and the United States because now we definitely know the Philippines is a target,” she said in a statement.
Tutor, chair of the House committee on civil service and professional regulation, said the government should engage in public-private partnerships and foreign technical assistance from the Asian Development Bank, Japan International Cooperation Agency and World Bank to fund capital investments in cybersecurity.
“Cybersecurity strong enough to defend against, investigate, prosecute, and counterattack cybercriminals, especially of the ransomware and infiltration kind requires huge capital investments. The Philippine government cannot do this alone,” she said.
Tutor added: “While we wait for the capital investments in cybersecurity, we need swift measures to make sure vulnerable websites have active defenses and a protective buffer between the websites and the agency databases. There must also be redundancies to ensure public services are not interrupted or can be back online swiftly.”
PhilHealth executive vice president and chief operating officer Eli Santos said the failure to renew antivirus subscription licenses made its computer system outdated and vulnerable to cyberattacks.
But the state health insurer maintained the cyberattack did not affect its servers containing members’ private information.
