BUSINESS UNUSUAL. Philippine Health Insurance Corp. transactions go through the manual process, like in this branch in Mother Ignacia Avenue, Quezon City, on Tuesday (Sept. 26, 2023), four days after its system was attacked by the Medusa ransomware. The cyberhackers are reportedly demanding USD300,000 or about PHP17 million to decrypt the files, but the state health insurer said it won't pay. (PNA photo by Joan Bondoc)
MANILA – The Philippine Health Insurance Corporation (PhilHealth) is expecting to open some of its online services by Wednesday after shutting down all its systems due to a cybersecurity attack.
PhilHealth has been on manual operations since Sept. 22 following the hacking of its database through the Medusa ransomware.
"We shifted to manual operations, simula po nung Biyernes hanggang ngayon but we are expecting today (Tuesday) or until tomorrow ay ma-i-up na po namin ang ilan sa mga sistema na ito at muling magamit natin (starting Friday until now but we're expecting today or until tomorrow we'll be able to 'up' some of the systems so we can use them again)," PhilHealth senior vice president for Health Finance Policy Dr. Israel Francis Pargas said Tuesday during a Bagong Pilipinas Ngayon interview.
The agency reported the incident to the Department of Information and Communications Technology (DICT) for containment and system reconfiguration.
All of its systems were shut down to see the extent of the information security incident.
Around 72 workstations were infected and the affected systems include the e-claims system, member portal system and collection system.
No leaks with regard to the personal information and medical information of the PhilHealth members were compromised, Pargas said.
He added that there is an ongoing investigation by the National Privacy Commission and cybercrime units of the Philippine National Police and National Bureau of Investigation to determine how the virus was able to penetrate the system.
PhilHealth's information technology department information, security department, and data protocol officer are being interviewed as part of the investigation.
Since some of the employees’ computers were infected, Pargas said they will be reviewing the access given to the employees and the control measures on access provision and use.
To ensure continued services, the PhilHealth released public advisories and instructions for members who will claim benefits in hospitals and employers and members who will make premium payments through over-the-counter processing.
"So far, there is no direct demand or ransom demand for PhilHealth pero ang bali-balita po ay meron silang dine-demand na (but there are news that they're demanding) USD300,000 or PHP17 million," Pargas said.
"Tayo po ay hindi magbabayad (PhilHealth will not pay them)," he added.
Earlier, the DICT said the Medusa ransomware attacks started in 2019. International syndicates acquire data from websites and encrypts them.
For the data to be decrypted and be used again, these groups demand ransom payment from owners of compromised device/s.
In an advisory, the DICT said the Medusa ransomware is distributed by "exploiting publicly exposed Remote Desktop Protocol servers either through brute force attacks, phishing campaigns, or exploitation of existing vulnerabilities".
"Once inside the network, the Medusa ransomware will then move laterally on the network to infect other machines via Server Message Block or by exploiting the Windows Management Instrumentation," the DICT said.
The agency advised government agencies and the public to refer to the technical advisory through the link https://dict.gov.ph/wp-content/uploads/2023/09/DICT-Medusa-Advisory.pdf for further details about the Medusa ransomware and the measures that must be implemented to prevent it from accessing systems and devices. (PNA)
