Philippines state health org struggling to recover from ransomware attack

The government organization that manages the universal healthcare system of the Philippines has struggled to recover from a ransomware incident that forced it to take several websites and portals offline.

On Friday morning, officials from the Philippine Health Insurance Corporation (PhilHealth) said they discovered an information security incident and immediately began an investigation into the situation with the help of several other government agencies. The government-owned entity provides a national health insurance program for the country’s 114 million citizens.

“While investigation is being undertaken, affected systems shall be temporarily shut down to secure our application systems. We appeal for the public's understanding regarding the matter,” the organization said.

In an update on Monday, PhilHealth President and CEO Emmanuel Ledesma said access to Health Care Institution (HCI) member portals and e-claims “were disabled or unplugged immediately as part of the information security containment measures being implemented by PhilHealth.”

“Affected systems shall be restored at the soonest possible time after the completion of the needed configuration and reinforcement of existing information security measures. We are working to restore these systems on Monday, September 25, 2023,” the organization explained.

“PhilHealth's Management assures the public that the incident is under control and that no personal information and medical information has been compromised or leaked.”

They added that healthcare facilities are still able to provide benefits to those who come and that PhilHealth is “doing its best to enable the affected systems to work on Monday, Sept 25, 2023.”

The Department of Information and Communication Technology (DICT) and several law enforcement agencies are conducting a forensic investigation into the situation.

While systems are down, members and dependents have to provide a photocopy of the member's PhilHealth Identification Card (PIC) or Member Data Record (MDR) or any identified acceptable supporting documents.

Payments for services have to be made over the counter and cannot be done online. Healthcare facilities will “continue deducting PhilHealth benefits and devise temporary arrangements with patients who are for discharge for them to avail of their benefits.”

The organization will add 60 days to the filing period for claims being made between June and September.

“Employers may submit their reports once the Electronic Premium Remittance System (EPRS) has been restored. Meanwhile, PhilHealth continues its operations and processes transactions that can be done manually while configurations are ongoing,” they said.

The attack was claimed by the Medusa ransomware gang, which added the organization to its leak site on Saturday.

The gang gave PhilHealth 10 days to pay several different ransoms, including $100,000 to extend the ransomware’s deadline and $300,000 to either delete all the stolen data or download it.

The group did not say what data was taken or how much was exfiltrated.

In an advisory last year, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Medusa operates as a Ransomware-as-a-Service (RaaS) model and typically gives affiliates 60% of ransoms while keeping the rest.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” they wrote in a joint memo with the U.S. Department of Treasury and the Financial Crimes Enforcement Network last year.

“The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file.”

The gang has made a point of going after government-level organizations, attacking Minneapolis’ public school district, an Italian company that provides drinking water to nearly half a million people, the French town of Sartrouville and Tonga’s state-owned telecommunications company.

In an interview with CNN Philippines, DICT Undersecretary Jeffrey Ian Dy said Medusa “is now an active threat not only to the Philippines but also worldwide.”

He added that they are coordinating with international partners to help recover from the incident. Medusa actors have been in their systems since June, according to a preliminary analysis, and he explained that currently, the main concern is that employee data was stolen during the attack.