The Philippine Health Insurance Corporation (PhilHealth) eyes the full restoration of its system in the coming days after the ransomware attack last week forced it to shift to manual operations.

"For now, PhilHealth has shifted to manual operations since Friday, Sept. 22, and we are expecting that today or tomorrow, we will be able to bring some of these systems back online for use," said PhilHealth Health Finance Policy Sector Senior Vice President Dr. Israel Francis Pargas in a televised interview on Tuesday, Sept. 26.

Despite the challenges posed by the ransomware attack and the shift to manual operations, Pargas said PhilHealth remains committed to ensuring that its members continue to receive benefits.

"If members or employers plan to pay premium contributions, they can still do so at PhilHealth offices over the counter since there is no online facility available at the moment," he added.

Containment measures enforced

In the wake of a recent ransomware attack, PhilHealth said it has taken swift action to implement containment measures aimed at mitigating the impact of the cyberattack.

Based on PhilHealth's preliminary investigation into the incident, Pargas revealed that approximately 72 workstations were affected by the ransomware attack

Pargas noted that the attack specifically targeted critical systems and operations, including PhilHealth's website, e-claim system, member portal, and collection system.

"We deemed it necessary to shut down all our systems first to assess the extent of the information security incident and to reconfigure our systems," Pargas said.

He also explained that this proactive approach was taken to safeguard the security and integrity of their data.

Timeline for restoration  

Pargas noted that while an exact timeline for the full restoration of systems remains uncertain, PhilHealth is diligently working to expedite the process, and testing is underway to ensure the systems function seamlessly, with hopes of resuming normal operations in the coming days.

He also assured PhilHealth members that they will continue to receive benefits despite the ongoing challenges.

"We apologize for this incident, and PhilHealth's operations are still ongoing despite the manual process," he added.

The Medusa Ransomware and alleged ransom demand

Pargas explained that PhilHealth is collaborating with the Department of Information and Communications Technology (DICT) to understand the nature of the Medusa ransomware and its impact on their systems.

He explained that Medusa is an international ransomware syndicate known for encrypting data and then demanding a ransom for decryption.

However, according to PhilHealth's initial investigation, "no personal information leaks or medical data compromises have occurred,” Pargas said.

While there have been reports of a ransom demand, Pargas noted that PhilHealth has not received a direct demand from the attackers.

"So far, there hasn't been a direct demand from PhilHealth, but reports suggest they are demanding around $300,000, or approximately 17 million pesos," he said.

Pargas noted that such demands are typical of ransomware attacks, where data is held hostage until a ransom is paid.  

However, he explained that PhilHealth adheres to government policy and “refuses to pay” any ransom demand.

“As soon as we learned about this on Sept. 22, we immediately reported it to the DICT and have been coordinating with them every step of the way to contain this incident and reconfigure our system," Pargas said.

He also said that the National Privacy Commission, the Cybercrime Units of the Philippine National Police (PNP), and the National Bureau of Investigation (NBI) are actively cooperating with this matter.

Pargas added that a hearing with the National Privacy Commission (NPC) is also scheduled to provide further clarity on the incident. (Zekinah Elize Espina)