MANILA, Philippines – The National Privacy Commission (NPC) on Monday evening, September 25, said it was notified by government health insurer Philhealth regarding a ransomware attack, originally confirmed by the Department of Information and Communications Technology (DICT) on Friday, September 22. 

According to data privacy laws, entities have 72 hours to report a breach to the NPC upon discovery.

The ransomware attack on the NPC involved a cyber gang called Medusa. The gang has asked for $300,000 or around P17 million to unlock the breached database, an amount that Philhealth says it will not pay, according to a GMA report. 

In the same report, the DICT provided further confirmation of the breach, saying that the hackers have uploaded internal Philhealth documents on the dark web as proof of the hack. The agency also told GMA that only employee information was breached.

A statement by Philhealth on September 23 said “no personal information and medical information has been compromised or leaked.” The insurer, after discovery of the breach on Friday, disabled access to its website, health care institution, and member portal and e-claims services as part of its “information security containment measures.”

Philhealth said it was working to restore its systems by September 25. As of writing on September 26, the Philhealth website appears to remain down. 

Philhealth is scheduled for a hearing with the NPC on September 26, and an onsite investigation on Thursday, September 28. 

The NPC says it expects “PhilHealth to provide a complete report within the next two days.” 
“This report must offer a comprehensive account of the breach, including details on the personal data that may have been compromised, and the measures implemented to contain and rectify the situation,” the privacy body said. – Rappler.com