DICT: Hackers leaked PhilHealth data

Hackers have leaked the compromised data from a recent ransomware attack against the Philippine Health Insurance Corporation (PhilHealth), the Department of Information and Communications Technology (DICT) said Thursday.

The DICT said the Confucius group uploaded a copy of over 600 gigabytes of files to a website and a Telegram channel after 4 p.m. on October 5, two days after the deadline for a ransom payment of about $300,000, or approximately P17 million, expired.

A video of the leaked information showed photos, bank cards, and transaction receipts of the victims, among others, according to John Consulta's report on ''24 Oras.''

The caption also urged others to download the file while reminding PhilHealth not to skimp when it comes to data security.

"Nasa Stage 3 na tayo, ito na ‘yung final stage sa sinasabi kong triple extortion stages. Sa Phase 3, aatakihin na nila ‘yung mga tao na nakita nila sa database kasi mas prone na ‘yun eh. Is-spam na nila ‘yan. Is-scam na nila yan," said DICT Undersecretary Jeffrey Dy.

(We're in Stage 3 now. This is the final step. Like I said, they usually have triple extortion stages. In Phase 3, they will likely attack the individuals whose data were compromised because they are more prone to extortion. They will send spam messages and scam them.)

"Dapat mag-ingat tayo lalo sa darating na spam texts, scam texts, phishing. Enable multi-factor authentication. Ito ‘yung klase ng password na after ng password, may magbibigay sayo ng texts o ng e-mail para i-confirm na ikaw ‘yung naglo-log in," he said.

(We should be careful against spam texts, scams, and phishing. Enable multi-factor authentication. This is a feature that, after entering your password, you will be asked to confirm through texts or e-mail to confirm if you are logging in.)

A source from the National Bureau of Investigation (NBI) said they have monitored some groups that tried to download the database and warned it may lead to more cases of credential stuffing or identity theft.

For its part, PhilHealth said it would take action to ensure the safety of its employees.

"Our member database is all intact. However, since there are workstations that were hacked, we don’t know the extent of information they were able to get," PhilHealth senior vice president Israel Francis Pargas told GMA News Online.

"Kung magkakaron ng paglalabas ng information, we might go into that, changing their PIN, changing their passwords, and changing their ATMs if ever necessary," he said.

(If there is a leak, we might get into that: changing their PIN, passwords, and ATM cards if ever necessary.)

The DICT believes the uploader is part of the Confucius group.

On September 22, PhilHealth was hit by a Medusa ransomware attack, prompting the temporary shutdown of the online systems of the state health insurer.

Hackers reportedly threatened to release the data stolen from its database should the agency fail to pay a ransom. 

But PhilHealth stressed that it would not pay.

On Tuesday, PhilHealth reiterated that the cyberattack did not compromise the database of its members but affected the application server and workstations of its employees. 

The DICT and the National Privacy Commission (NPC) warned on Wednesday that hackers may also target individuals whose data was compromised by the ransomware. —VBL, GMA Integrated News