Trying to access the Philippine Health Insurance Corporation? Good luck with that.

A man tries to access the login page of the Philippine Health Insurance Corporation (PhilHealth) in Manila on October 9, 2023. The Philippine Health Insurance Corporation (PhilHealth) urges the public to be vigilant and take precautionary measures against fraudulent activities in light of the September 22 ransomware attack. (Photo by JAM STA ROSA / AFP)

Could the Philippine Health Insurance Corporation cyberattack have been avoided?

• The Philippine Health Insurance Corporation cyberattack lifted 734GB worth of data.
• The Corporation had allowed its antivirus protection to lapse when it was attacked.
• Cybersecurity is vital for businesses – especially in Southeast Asia.

Over the past few years, Southeast Asia has witnessed significant cyberattacks and data breaches. In fact, cybersecurity incidents in Southeast Asia continue to increase, especially in the wake of the Covid-19 pandemic.

The IBM Security’s Cost of a Data Breach report showed that data breaches in the region reached an all-time high value of US$3.05 million in 2022, marking a 6% increase from the previous year. Detection and escalation costs jumped 15% over the same timeframe, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.

Since then, most countries in the region have taken more steps to boost their cybersecurity defenses. Governments have also amended and introduced new laws to ensure businesses take cybersecurity a lot more seriously. There’s also been collaboration across the region, especially in terms of sharing threat intelligence on potential cyberthreats.

At the same time, almost all industries have been targeted by cybercriminals. However, there have been increased numbers of cyberattacks targeting government agencies, financial institutions and the healthcare industry.

Research from Check Point Software Technologies reveals the healthcare sector experienced an average of 1,684 attacks per week in Q1 2023 – a year-on-year increase of 22%. That makes healthcare the third most targeted industry in 2023, ahead of finance, insurance and communications. Healthcare organizations have extremely valuable data, and the growing complexity of healthcare IT networks provides cyberthreat actors with a variety of potential attack vectors.

Healthcare industry is most targeted by cybercriminals. The Philippine Health Insurance Corporation attack is just the latest in a line.

The healthcare industry is the third most targeted by cybercriminals. (Image generated by AI)

The Philippine Health Insurance Corporation cyberattack

Given the surge of attacks in the healthcare industry, it would only make sense for organizations dealing with healthcare data to boost their cybersecurity defenses. After all, the healthcare industry not only deals with high volumes of data but also uses numerous technologies today, all of which can be easily targeted by cybercriminals.

Despite this, it seems the Philippine Health Insurance Corporation did not take the matter seriously enough. According to reports by AFP, hackers have stolen the personal data of potentially millions of people from the Philippines’s national health insurer, which has urged members to change their passwords after the “staggering” cyberattack.

The government-owned agency is tasked with overseeing the healthcare of Filipinos in the country. Formed in 1995, the Philippine Health Insurance Corporation is meant to help pay for the care of the sick and subsidize medical payments for those who can’t afford it.

As of June 30, the Philippine Health Insurance Corporation had over 59 million direct and indirect contributors, representing more than half of the Philippines’ population. The hackers released some of the data on the dark web, showing health memos and other information that a top government official described as ‘confidential.’

The cybersecurity incident was discovered after staff were unable to access a number of computers on September 22. The computers also displayed a message saying hackers had locked the machines and encrypted the data. The insurer shut down the affected systems to try and stop the attack from spreading, slowing, or entirely shutting down some online services for days.

What made the news even more shocking was a statement from a senior official of the Philippine Health Insurance Corporation, revealing that the company lacked antivirus software at the time of the attack. The official acknowledged a degree of negligence on the Corporation’s part, citing the expiration of antivirus software as a potential vulnerability that may have facilitated the breach.

The Philippine Health Insurance Corporation acknowledged the cyber incident.

Acknowledging the cyber-incident.

Investigations are ongoing

Following the cybersecurity incident, the National Privacy Commission (NPC) of the Philippines initiated an immediate, proactive investigation into potential violations of the Data Privacy Act of 2012 by the Philippine Health Insurance Corporation and its officials.

The NPC said that on October 6, the Complaints and Investigation Division of the NPC completed its initial analysis of 650GB worth of compressed files originating from a data dump claimed by the Medusa group.

“Upon extraction, these files revealed a staggering 734GB worth of data, including personal and sensitive personal information. In light of these findings, the NPC has launched a sua sponte investigation to ascertain the full scope of this breach, identify the responsible officials, and recommend prosecution to the fullest extent permissible by law.

The NPC will leave no stone unturned in its investigation into the potential negligence of officials and explore whether any efforts have been made to conceal pertinent information,” stated the NPC.

AFP also reported that the hackers demanded US$300,000 to restore access to the computers and delete the stolen data. MedusaLocker, first detected in late 2019, has been primarily used to target healthcare organizations, and its creators took particular advantage of the emergency situation during the Covid-19 pandemic, according to a US government report.

The ransomware has been sold to criminal actors. A US government cybersecurity advisory indicated that its creator receives a portion of any ransom paid. It was not clear if the Medusa group identified by the Philippines government is the creator of MedusaLocker, or an entity that purchased the malware.

The government has refused to pay any ransom and the hackers have now started releasing data from the stolen files. Since then, there have been calls for the government to conduct an audit of its cyber-defenses.

A Philippine Health Insurance Corporation official explains how the hack could have occurred in the video below.

Biggest cybersecurity incident in Southeast Asia?

While there have been no official figures on how many accounts were actually compromised by the hackers, the incident is definitely one of the biggest data breaches in the Philippines to date. The last major cyber-incident in the Philippines involved the hacking of the country’s Commission of Elections in 2016.

But over the years, the Philippines has seen increasing cybersecurity incidents. While investments in cybersecurity have also increased in the country, the insurance provider’s explanation that it did not renew its cybersecurity measures clearly indicates that some companies are not prioritizing cybersecurity as they should.

Given the increased digitalization in the country, cybersecurity needs to be a priority for all organizations, regardless of which industries they are from. As the NPC puts it, it stands firm in its resolve to combat any actions that contravene the Data Privacy Act of 2012, whether within government or private institutions. The NPC has also warned the public not to download, share, or possess any of the data that has been compromised.

The cybersecurity incident at the Philippine Health Insurance Corporation could have been avoided if the company had renewed its security solutions.

The cybersecurity incident at the Philippine Health Insurance Corporation could have been avoided if the company had renewed its security solutions. (image generated by AI)

A costly cybersecurity lesson for the Philippine Health Insurance Corporation

The cybersecurity incident at the Philippine Health Insurance Corporation could have been avoided if the company had renewed its security solutions. The insurer could also have significantly boosted its cybersecurity defenses, given that it deals with sensitive data on a daily basis. While it remains to be seen why the renewal was delayed or if other reasons contributed to the breach, one thing is for certain – the damage is already done.

Businesses need to maintain constant awareness of their cybersecurity status. That entails staying informed about their cybersecurity policies, renewal dates, and extent of coverage. Organizations should also check their systems for patches and flaws that require updating. If companies face a talent shortage in managing these aspects, they can consider outsourcing their cybersecurity to managed service providers.

Either way, taking the right proactive measures in cybersecurity could end up saving companies a lot more in the long run. Reactive cybersecurity options can also help them detect and recover their systems a lot faster. It’s also crucial to have a sufficient backup system in place to ensure there is minimal disruption to the business.

The Philippine Health Insurance Corporation should be both proof of the need for effective cybersecurity, and a warning to businesses to keep their protection up to date.