(Bloomberg) -- The Philippines’ state health insurer didn’t have cyber protection software when hackers attacked its computers, giving criminals access to the data of millions of its citizens and triggering calls for an extensive cybersecurity audit.

While the full extent of the breach has yet to be determined, the Philippine Health Insurance Corp. has warned its over 36 million members — around a third of the country’s population — that their data may have been compromised.

The lapse, partly caused by a change in procurement processes, adds to a series of attacks on Philippine government agencies that has highlighted the Southeast Asian nation’s vulnerability to cybersecurity threats.

PhilHealth discovered the attack on the morning of Sept. 22 as employees turned on their computers, including those used for processing records. Computer screens displayed a message that showed Medusa group claiming responsibility for the attack and demanding $300,000 in exchange for deletion of the agency’s files, Israel Pargas, senior vice president for health finance policy sector, said in an interview on Thursday. 

Some 96 computers were affected, or about a tenth of the agency’s units in its headquarters in metropolitan Manila, he said.

Bloomberg could not independently verify if the Medusa group was responsible for the attack or whether another group used the Medusa ransomware. It’s also not immediately clear how the hackers were able to bypass security of PhilHealth’s computer systems.

PhilHealth said it won’t pay the ransom and is now bracing for the worst. 

“We don’t know how extensive it was. We also don’t know what records were taken. We’ll only know once Medusa releases them,” Pargas said.

It’s possible that a staff accidentally responded to a phishing email that exposed PhilHealth’s computer systems to hackers, said Monchito Ibrahim, a former undersecretary at the Department of Information and Communications Technology.

No Protection

The deadline for the ransom has lapsed - PhilHealth was given 10 days from Sept. 22 to pay up. Hackers have started releasing stolen PhilHealth data on platforms such as Telegram, the Philippine Star reported, citing a group that publishes activities in the dark web.

PhilHealth’s contract with its anti-virus software provider expired in May and it wasn’t able to renew it due to the government’s revised procurement rules, Pargas said. After the hacking, PhilHealth contacted the software provider for help and accepted a 30-day trial offer for a new anti-virus security program from the company, he said. 

PhilHealth also secured “other tools which would actually monitor if there are any accounts or if there’s any other impending attacks,” as it aims to pursue a broader IT upgrade, he added.

As PhilHealth grapples with the aftermath of the incident, the country’s privacy watchdog has initiated a probe while an industry group has questioned how the state health insurer responsible for protecting the information of millions of its members and their dependents doesn’t have a secure data base.

The National Privacy Commission said in a statement on Saturday that it has launched an investigation to determine the full scope of the breach, identify the officials responsible and recommend prosecution.

The commission said an initial analysis of the “data dump claimed by the Medusa group” revealed “a staggering 734 gigabytes worth of data, including personal and sensitive personal information.”

Senator Mark Villar has called for a legislative inquiry into the cyber attacks on PhilHealth and other government agencies. That includes the hacking of the anti-graft office’s computer system that allowed at least three people to access cases against government officials, as well as the alleged breach at key law enforcement agencies that exposed data such as fingerprint scans, birth certificates and passports. Villar said the hacking incidents “require the Senate’s intervention as a matter of economic and national security concern.”

Eye-Opener

A digital quality index released by Surfshark this year ranks the Philippines 45th in e-security among 121 countries around the world, dropping by a notch since last year, the Netherlands-based data-leak detection firm said.

The hacking incident is an “eye-opener” for the Philippines to invest in cybersecurity training, said Ibrahim, the former information and communications technology undersecretary.

“We have the national cybersecurity plan, but a plan is different from execution. If it’s not executed properly, nothing will happen,” Ibrahim said.

Advocacy group Infrawatch PH is calling for a thorough security review across all government agencies. “A comprehensive digital security audit is not just advisable; it’s imperative,” Infrawatch Convenor Terry Ridon said in a statement. “If a database as extensive as PhilHealth’s can be compromised, it casts doubt on the security measures in place for other government systems,” he said.

©2023 Bloomberg L.P.