STATE-RUN Philippine Health Insurance Corp. (PhilHealth) said it will not pay a single peso of ransom to the Medusa ransomware group that attacked its system last week resulting in the shutdown of its online services.
However, the “unfortunate” incident forced the state health insurer to spend P172 million to beef up its information technology infrastructure that includes cybersecurity defenses.
The amount includes P110 million in regular procurement and P62 million in emergency procurement.
“We did not pay and we will not pay [the ransom],” PhilHealth President and CEO Emmanuel R. Ledesma Jr. said in a press briefing on Monday in Pasig City, while noting that the hackers demanded a $300,000 ransom in exchange for deletion of the alleged PhilHealth files that they hold.
PhilHealth officials faced the media in a public briefing for the first time since it confirmed that the Medusa ransomware group attacked the agency at least a week ago.
Nelson S. De Vera, PhilHealth’s Acting Senior Manager of the Information Technology and Management Department, explained the state health insurer’s database of its members was not affected since it was stored in a different database server.
What was affected by the ransomware attack, De Vera explained, were the application servers and workstations of PhilHealth in its head office in Pasig City.
De Vera disclosed that the PhilHealth’s team will soon be able to restore five out of eight of its external servers while it has been able to install the necessary internal applications in its work stations.
“I think that is already roughly 30 percent [restored],” he said.
PhilHealth has been able to restore its online services including its website, member portal and e-claims, a week after it was attacked by the Medusa ransomware.
However, PhilHealth said it remains “diligent” in restoring its other online systems such as the Health Care Institutions (HCI) portal and application servers as it undertakes “thorough security testing.”
PhilHealth officials recalled the sequence of events to provide a glimpse of how the state agency was left vulnerable to the ransomware attack.
They explained that the antivirus protection of PhilHealth expired in April but was extended until May 15 by the service provider.
Thereafter, PhilHealth wanted to renew its service provider, but it stumbled because of the latest procurement rules issued by the Government Procurement Policy Board (GPPB).
PhilHealth Executive Vice President and COO Eli Dino D. Santos said they were “caught off guard” by the GPPB’s latest rules on renewal of regular and recurring services, which limited the renewal of contracts to a maximum of three years.
“We were caught off guard. We immediately started a new procurement,” Santos said.
PhilHealth’s system was left vulnerable during those times since it did not have the necessary infrastructure in place because the procurement is still ongoing.
“Basically we were open. It is the possible entry point of the hackers. We were vulnerable,” De Vera said.
“We feel during that period the hackers exploited [the vulnerability],” he added.
Systems in place
Nonetheless, PhilHealth officials disclosed that the agency has installed an interim software to protect its system from the attacks, thanks to its previous supplier that provided a 30-day protection at zero cost for the government.
PhilHealth also expects both its regular and emergency procurement for its cybersecurity to be completed within the month.
For his part, Ledesma described as a “bluff” the threat of the Medusa ransomware group to release publicly the information it allegedly hacked from the PhilHealth’s system.
He emphasized that the critical and sensitive information of PhilHealth’s members remain “intact” and unscathed from the ransomware attack.
“Clearly it is a bluff. Walang nawala sa [None was lost of the] membership data. Isang araw na lang hintayin na lang natin iyong bluff nila [It’s just one day left, so we’ll just wait for them to pursue their bluff],” he said, referring to the Medusa’s deadline of exposing the state health insurer’s files by October 3.
Image credits: Roy Domingo