DICT urges PhilHealth employees, members to change passwords after ransomware attack

Philippine Tribune
Philippine Tribune



The Department of Information and Communications Technology on Wednesday urged employees and members of the Philippine Health Insurance Corp. (PhilHealth) to change their passwords in their online accounts.

DICT Undersecretary Jefferson Dy thus remarked after PhilHealth was hit by a ransomware attack, warning that hackers may now target individuals whose data have been compromised.

“Make sure that your password is not associated with your personal information. Kung ikaw ay PhilHealth employee, I guess I suggest that you change your ATM pins,” Dy said. 

“Don’t click a link that you think is trustworthy,” he added. 

Dy adverted to the pattern of the Medusa ransomware group in other countries including the US. 

“Usually ang ransomware, merong triple extortion scheme. ‘Yung 1st extortion. Magbabayad ka para ibigay sa iyo yung susi para ma-access mo ulit ang data mo,” Dy said in John Consulta’s “24 Oras” report. 

(Ransomware attacks usually have a triple extortion scheme. First, they ask the victims to pay money in exchange for access to the compromised data.)

“The second extortion, sasabihin nila Philhealth, para di ka mapahiya, ‘ito ang mga hawak ko, bayaran mo ako para di ko ile-leak ‘yung data,” he added. 

(Second, they would threaten to leak the data to force victims to pay.)

“Pero dito kayo maghanda sa 3rd extortion attempt. Yung 3rd extortion attempt, gagamitin nila yung mga hawak nilang datos para kontakin ang mga tao na meron silang data na. At yun naman ang ia-attempt nilang i-extort,” Dy said.

(You have to be prepared for the third. They’ll use the information they gathered to contact individuals whose data were compromised and they will try to extort from them.)

On September 22, PhilHealth was hit by a Medusa ransomware attack, prompting the temporary shutdown of the online systems of the state insurer.

Hackers reportedly threatened to release the data stolen from its database should the agency fail to pay them $300,000 or approximately P17 million ransom.

But PhilHealth stressed that it would not pay for such an amount.

A week later, on September 29, PhilHealth announced that its corporate website, member portal, and e-claims were already accessible to the public after the shutdown. 

Dy said that while the hackers did not leak information to the public, they provided the DICT a 40-minute video showing the information stolen from the compromised database. 

“They posted a 40-minute video showing what they got. They’ve got videos, 1×1 photos of a lot of people, they’ve got GSIS cards, including some ATM cards of PhilHealth employees,” he said. 

“Every data that is leaked and that includes personal verifiable information in accordance to our Data Privacy Law is serious. These are serious data leaks kasi may picture eh. So number 1 you can ascertain the name and the person. May ID and may address,” he added. 

On Tuesday, PhilHealth reiterated the recent ransomware attack against its servers did not compromise the database of its members but affected the application server and workstations of its employees. 

For its part, the National Privacy Commission (NPC) warned of adverse effects of the compromised PhilHealth data.

“Nagpapanggap ‘yung kausap natin na kilala tayo. May initial info na sila. Alam ang pangalan mo, address mo, baka alam din ang birthday mo. Kukunin yung tiwala mo. Kukuha pa siya ng more information para ma-compromise ang bank account, e-wallet,” NPC Complaints and Investigation Division Chief Michael Santos said.

(They may pretend to be acquaintances. They have your initial information so they’ll use that to gain your trust. And then they’ll get more information including your bank account and e-wallet.)

“Kinakausap yung contacts. Kasama ‘yung sa ibang identity theft at fraud na pwedeng macommit,” Santos said.

(They may also talk to your contacts. That’s among the identity theft or fraud they may commit.)

Earlier, the NPC said it is assessing whether PhilHealth should be held liable for the cyberattack. —Sundy Locus/NB, GMA Integrated News

Leave a comment