PhilHealth: Members’ data, premiums not affected by ransomware attack

The Philippine Health Insurance Corporation (PhilHealth) said Monday that its membership database, including their contributions and claims, were not affected by the recent ransomware attack which prompted the agency to shut down its online systems.

At a press conference, PhilHealth executive vice president and COO Eli Santos said that what was only compromised by the Medusa ransomware attack was the workstations of their employees based in Pasig City. 

“We have databases, we have servers and our general PhilHealth membership data were not affected. That's for sure, it was not affected,” he told reporters.

PhilHealth IT Department Senior Manager Nelson De Vera, for his part, added that the ransomware affected the majority of PhilHealth’s application servers, which are now being rebuilt.

“Our membership database, claims, contribution, accreditation, and other information are stored on a separate database server which is not affected by cyber attack,” De Vera said.

This was welcomed by PhilHealth president and CEO Emmanuel Ledesma Jr., stressing that the membership data not being affected following the cyber attack was the most important thing.

“It’s very clear na hindi apektado ang membership data. Zero. I think that’s the most important thing to look at… It’s a very complicated issue, but hindi nagalaw at all, completely, ‘yung membership data,” he said.

(It's very clear that the membership data was not affected. Zero. I think that's the most important thing to look at ... It's a very complicated issue, but the membership data was not compromised at all, completely.)

The agency’s system—including its website, Health Care Institution (HCI) and member portal, and e-claims—were disabled or unplugged as part of security containment measures after being hit by a ransomware attack last Friday, September 22.

PhilHealth then said a total of 72 workstations have been compromised by the Medusa ransomware attack, which prompted a shutdown of its system.

Hackers, meanwhile, were even reportedly threatening to release the data stolen from its database should the agency fail to pay them $300,000 or approximately P17 million ransom.

But PhilHealth stressed that it would not pay for such an amount.

A week later, on September 29, PhilHealth announced that its corporate website, member portal, and e-claims were already accessible to the public after the shut down. 

In an advisory that day, PhilHealth said its application systems have been restored at 12 noon of September 29, 2023.

PhilHealth also said that it had coordinated with the National Bureau of Investigation (NBI) and Philippine National Police (PNP) to conduct an investigation and assessment on the matter.

“PhilHealth also welcomes calls for inquiry to get to the bottom of this incident. PhilHealth shall rightfully impose disciplinary actions to people who have been remiss in the performance of their duties if they are found liable,” it said.

“PhilHealth sincerely asks for the public’s understanding and support during this time and implores certain groups and   sectors to refrain from concocting false and misleading information to avoid creating panic and distrust among our members and stakeholders,” PhilHealth added. — RSJ, GMA Integrated News