The Medusa ransomware group has released compressed files in zip format from PhilHealth, the Philippine Health Insurance Corporation. The release comes about two days after PhilHealth refused to pay a ransom of US$300,000. The compressed files are in 160 parts, each being 3,891MB in size. This means the total file size is approximately 622GB, with an additional 3.5GB file. While the files are now available online, John Patrick Lita, CEO and co-founder of SOROS Securities Inc., said it is dangerous to download the files as the initial link from the website of the group on the dark web contains a remote access trojan (RAT) that can compromise the privacy and security of those who will download the files.

Renzon Cruz, Principal DFIR Consultant @ Unit 42 by Palo Alto Networks, one of the security professionals who are analyzing the Medusa attack on PhilHealth, said that the files, when extracted, contain data of Philhealth members. Initial assessments of Cruz show that the data released by the cybercriminals include personally identifiable information (PII) of thousands of PhilHealth members, including senior citizens, persons with disabilities (PWDs), and employees.

The data includes names, addresses, dates of birth, sex, nationality, PhilHealth identification numbers, and passwords. The group also released files that contain executive summaries of premium contributions, PhilHealth member transaction data, PWD member information including email and passwords, PhilHealth employee payroll with salary and recent salary adjustments, cashflow of the agency, PWD claims, corporate bank transactions that include account numbers, cheque numbers, debit, dates, and balances, and file statistics.

The release of the stolen data has raised concerns about the security of PhilHealth's systems and the privacy of its members. The corporation has said it is improving its cybersecurity measures and preventing future data breaches.

The PhilHealth hack is the latest in a series of data breaches that have targeted government agencies and private companies in the Philippines.

The Department of Information and Communications Technology said it is taking steps to improve cybersecurity in the country.

Jeffrey Ian Dy, Undersecretary for Connectivity, Cybersecurity, and Upskilling at the Department of Information and Communications Technology (DICT), confirmed the leak that included the personal data of PhilHealth members. He cautioned members to be careful.

He said, "If you think you are one of the victims of the data leak, we advise that you change your passwords for your online accounts. Avoid using personal information such as your birthday or a relative's name in your new password. Enable multi-factor authentication. And be vigilant not to click any link sent through text or email."

"We also caution the public against messages that may circulate informing them that they are victims of the data leak and then asking them to click on a link to remedy the situation. Government will not send them any link to click via text or email." Dy added.

The PhilHealth hack shows that the government still has a long way to go in terms of improving its cybersecurity posture. The government must invest in cybersecurity measures and raise awareness of cybersecurity risks among its employees and the public.

Recommendations for PhilHealth members

If you are a PhilHealth member, there are a few things you can do to protect yourself from identity theft and other scams:

Be vigilant against phishing scams. Phishing scams are emails or text messages that trick you into revealing your personal information. Be careful about clicking on links in emails or text messages, and never enter your personal information on a website you don't trust.

Monitor your credit report and bank statements regularly. This will help you to identify any unauthorized activity on your accounts.

Consider placing a fraud alert on your credit report. This will make it more difficult for someone to open a new account in your name.

If you believe that your personal information has been compromised, contact PhilHealth immediately. You should also change your passwords for all of your online accounts.

Cybersecurity professionals' concerns

Cruz and Lita, who are researching the recent incident, are particularly concerned about the files that listed passwords in clear text that were saved in text files. This is because it means that the ransomware group has access to the passwords of PhilHealth members, employees, and other individuals whose data was stolen.

Renzon Crus is also concerned about the release of the PhilHealth member transaction data, PWD member information, PhilHealth employee payroll, and corporate bank transactions, as the data could be used by criminals to commit identity theft, fraud, and other crimes.

The PhilHealth hack is a serious cybersecurity incident that has put the personal information of thousands of people at risk. PhilHealth members need to protect themselves from identity theft and other scams.

I asked Angel Redoble, First Vice President & Group CISO, PLDT Group & Smart Communications, about the issue and what the individual, the government and companies need to do on this issue.

There are three scenarios regarding the stolen data. First, it has been sold to interested groups. In this context, there's nothing we can do. Second, our information will be used to commit fraudulent transactions, such as applying for loans or debts without our knowledge. In this scenario, it is essential to always remember actions taken so it's easy to prove that you did not make those debts. And third, the information will be used against you, like blackmail and extortion. In this situation, it's essential to stay strong, not be swayed by threats, don't believe what they say, and contact the authorities.

What should the government do? Set up an office ready to take calls from members included in the stolen data. To assist them if anything wrong happens to them using their stolen information.

For companies, they should advise their employees to be vigilant. This way, they can quickly notice if something strange is happening with their accounts, emails, and social media accounts, which can be used by those who obtained, stole, or purchased their personal information. Scammers can use their emails and mobile numbers to send smishing and phishing messages. Cybercriminals and also call them and be victims of vishing.