Hackers demand $300,000 for compromised PhilHealth database

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10


Metro Manila (CNN Philippines, September 25) — Hackers have asked for $300,000 or roughly ₱17 million from the government after the database of state insurer Philippine Health Insurance Corporation was hacked through the Medusa ransomware, according to the Department of Information and Communications Technology (DICT).

DICT Undersecretary Jeffrey Ian Dy said the ransom is in exchange for three things, namely:

- to hand over the decryption keys so the data can be accessed again;

- to delete the data that they obtained and not publish these to the public; and

- to give DICT the copy of the data which is in their possession

DICT said it is working with PhilHealth and its outsourced cybersecurity vendors to complete the "clean up" of the system, adding the most urgent task is to reactivate PhilHealth's online services, as the health insurer was forced to undergo over-the-counter processing since Sunday.

Dy said authorities have gathered evidence against the cyberattackers.

"Hopefully, together with our law enforcement agencies, we can apprehend the culprits. We also need to coordinate with our international counterparts since these criminals are operating internationally," he said.

In an interview, Dy warned that there is no guarantee that hackers will fulfill the conditions once the ransom is handed out.

“Medusa ransomware is now an active threat not only to the Philippines but also worldwide,” Dy said.

On the other hand, Dy said the situation with PhilHealth is now “under control” as DICT was able to identify which computers have been infected by the Medusa ransomware, some of the servers that attacked PhilHealth’s cybersecurity, and how PhilHealth’s data were compromised.

“I would like to assure the public that basically — you would have notice na down yung mga online services sa PhilHealth — It is not because these services that are front facing or facing the public have been infected,” Dy told CNN Philippines.

[Translation: I would like to assure the public that basically — you would have noticed that the online services of PhilHealth are down— It is not because these services that are front facing or facing the public have been infected.]

“What we did is we advised Philhealth to turn off their critical services and to isolate the critical services so that the ransomware infection, if I may say, will not spread to the critical computers,” he added.

Online services of PhilHealth will be available in “the next few days,” Dy assured

The Medusa ransomware has been with PhilHealth since June, Dy said.

He explained that the Medusa ransomware hides and then spreads itself in the PhilHealths system in order for its source to be undetected.

“Unfortunately, some of these notes and worksheets [that were leaked] have some personal data mostly of PhilHealth employees, not of PhilHealth members,” Dy said.

“As of this moment, as per our investigation or checking, the PhilHealth [members] databases are safe and secure,” he added.

Dy also appealed for an increase in the budget of the Cybersecurity Bureau of DICT as there is a trend of cyber attacks in the country.

Dy admitted that there is a concern about the country’s cybersecurity posture as 3,000 cyberattack cases were reported to the DICT from January to August 2023.

He said only ₱400 million were allotted for DICT’s Cybersecurity Bureau.

DICT on Sunday issued guidelines to government offices on how to protect themselves from the Medusa ransomware.

CNN Philippines' Lara Tan and Paige Javier contributed to this report.