Hackers have begun exposing on the dark web some Philippine Health Insurance Corporation (PhilHealth) data — including details on employees — after failing to get ransom money from the government, an official confirmed on Tuesday.
Initial analysis showed that among the information published were PhilHealth employees’ identification cards, including Government Service Insurance System IDs, said Undersecretary Jeffrey Dy of the Department of Information and Communications Technology (DICT).
Dy also said they saw on the dark web copies of employees’ payroll and other details such as “their regional offices, memos, directives, working files, [and] hospital bills.”
“In terms of PII (personal identifiable information), we saw some IDs, pictures, which we cannot ascertain at the moment if they are Philhealth employees, or members,” the official wrote in a message.
He said these appear to be “teasers” from hackers, who might still be waiting for the government to accede to their ransom demand.
The dark web — which may be accessed only through a specialized web browser — uses technology that allows users to stay anonymous. Because of this, while that part of the internet is legal, it is also used for criminal activities, including the sale and purchase of prohibited items and illegally acquired materials, such drugs, pornography, and stolen identities.
Earlier, the DICT said the cybercriminals have asked for $300,000 (roughly ₱17 million) in exchange for handing over decryption keys, as well as deleting and not publishing the data they illegally obtained.
The government said it will stick to its policy of not paying any ransom to hackers.
Were members’ data compromised?
Both the DICT and PhilHealth said the members’ database – which contains their private information, claims, contribution and accreditation details – remains “intact” as it was not part of the servers affected by the Medusa ransomware attack.
But this doesn’t necessarily ensure hackers were not able to obtain members’ information.
Authorities explained this is because the same details in the database may have also been available in the other servers which were affected by the hacking.
“It seems the Philhealth workstations and some other servers such as training servers affected by Medusa may have contained these information,” Dy wrote.
PhilHealth said it is still determining if the data acquired by hackers include personal details on its members.
The state insurer made the clarification after posting an urgent notice to the public on Monday night, saying it believes members’ personal data "were compromised” and that it is working to notify all affected individuals directly.
“The said notice is in faithful and substantial compliance to the requirement of the National Privacy Commission to proactively reach out to and inform data subjects who may be affected by the malicious posts of the attackers,” the corporation said.