After PhilHealth, PSA suffers data breach

Individuals continue to avail services as face-to-face operations and transactions continue at the Philippine Health Insurance Corp. (PhilHealth) in Quezon City on Tuesday (September 26, 2023) amid recent cyber attack.
STAR / Michael Varcas

MANILA, Philippines — The Philippine Statistics Authority (PSA) is next to suffer a data breach staged by cyber hackers, after the successful Medusa ransomware attack on Philippine Health Insurance Corp. (PhilHealth).

The National Privacy Commission, through Public Information and Assistance Division chief Roren Marie Chin, confirmed yesterday that the PSA has suffered a data breach and has filed a breach notification report.

While declining to confirm the cyber attack on PSA, Department of Information and Communications Technology (DICT) Secretary Ivan John Uy said the agency is investigating the case.

Uy said the attack did not involve ransomware like the Medusa’s on PhilHealth but is basically a data breach.

PSA has launched a probe on the alleged data leak, with initial evaluation showing the breach is limited to its Community-Based Monitoring System.

The CBMS is a technology-based system of collecting data used by local government units for their planning, implementation, assessment and intervention activities, as well as by the Department of Social Welfare and Development for targeting households to be enrolled in their social protection programs, including the Pantawid Pamilyang Pilipino Program.

“The PSA assures the public that the Philippine Identification System and the Civil Registration System have not been affected,” the statistics agency said.

It said an assessment is being undertaken on what personal data from the CBMS may have been compromised, and information would be shared with relevant authorities and the public.

The PSA also said additional preventive and containment measures are being implemented to ensure the security and integrity of all systems and data bases, part of which is to shut down and isolate the CBMS.

It warned social media posts with the alleged sample data include links that contain malware that may be used by cybercriminals and bad actors to perpetuate other illicit acts.

Meanwhile, De La Salle University (DLSU) has suffered a “data security incident” that has left some of its online systems inaccessible while university administration deals with possible cybersecurity compromise.

The LaSallian, the university’s official student publication, reported that the DLSU Information Technology Services Office temporarily restricted access to information systems and that it has contracted outside help for assistance.

The Office of the Vice President for Information Technology said the university has sought help from the NPC for appropriate steps in the incident.

Fake IDs

The NPC is urging Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to be vigilant in detecting and preventing the fraudulent use of fake PhilHealth IDs during various transactions in light of the recent leak incident at the health insurer.

It particularly addressed the guidance to PICs and PIPs of banks and nonbank financial institutions, hospitals and public telecommunications entities (PTEs).

The privacy commission highlighted the risks unique and distinct to specific categories of PICs.

For banks and non-bank financial institutions, these include identity and financial fraud as well as money laundering.

Meanwhile, the NPC identified medical fraud as a risk for hospitals, which can be used to claim health care benefits and services, leading to unwarranted financial burdens on hospitals and potentially compromising patient care.

They may also be at risk of patient data breach, emphasizing that the use of counterfeit IDs can result in unauthorized access to patient records and sensitive medical information, jeopardizing patient privacy and confidentiality.

Moreover, risks for PTEs include identity theft in SIM registrations.

“If anyone possesses information related to the use of counterfeit PhilHealth IDs, we kindly request you to contact us promptly at,” the NPC said.

Payments delayed

Personal data stolen in the Medusa ransom attack can no longer be recovered, according to PhilHealth.

Baleña said PhilHealth has created two temporary email addresses where members can file their complaints in case they were affected by the cyberattack.

Initial investigation reveals that an international syndicate is behind the cyber attack.

Meanwhile, during a consultative meeting with Sen. Pia Cayetano, PhilHealth officials admitted that the Medusa attack further delayed its payment of unpaid claims to government and private hospitals amounting to P27.2 billion.

“We expect a delay in payment of claims, because we turned off our system when it happened, and the situation was that hospitals could not submit claims,” PhilHealth executive vice president and chief operating officer Eli Dino Santos said.

DICT confidential funds

Two senators vowed to reinstate the P300-million confidential fund request of DICT, after the House of Representatives rejected the secret fund request of the DICT and other civilian government agencies.

Sen. JV Ejercito said investigative agencies like the DICT, Department of Justice and National Bureau of Investigation should be allowed to have confidential and intelligence funds in its prosecution and investigation of cybercrime.

“My position is that confidential and intelligence funds are better left with departments or agencies that have something to do with national security and fight against criminality… This also pertains to national security and cybercrime,” Ejercito said.

“I would fight for DICT confidential funds. I am convinced that we need to empower our cybersecurity measures. Cybercrime is rampant now,” Senate Majority Leader Joel Villanueva said.

DICT’s Uy reiterated the serious repercussions of the inadequate funds allotted to them to wage a decent fight against hackers, which were armed with the latest technology including artificial intelligence and bots.

“We’re going into battle with our hands tied,” Uy told reporters in an interview. “We just want to make an appeal to our legislators to rethink our strategy.” –  Louella Desiderio, Neil Jayson Servallos, Mayen Jaymalin, Catherine Talavera, Marc Jayson Cayabyab

Show comments