PhilHealth blames hack on new procurement rules

PhilHealth’s operations revert to manual after its website and computer systems were hacked on Sept. 22 2023. PHOTO BY GRIG C. MONTEGRANDE, PHILIPPINE DAILY INQUIRER
PhilHealth’s operations revert to manual after its website and computer systems were hacked on Sept. 22 2023. PHOTO BY GRIG C. MONTEGRANDE, PHILIPPINE DAILY INQUIRER

MANILA – The Philippine Health Insurance Corp. (PhilHealth) failed to renew its antivirus software licenses last year, making its computer system outdated and vulnerable to cyberattacks, due to new government procurement rules.

Eli Santos, executive vice president and chief operating officer of PhilHealth, on Monday revealed that his agency failed to proceed with the renewal of subscription licenses for the antivirus software, citing new rules set by the Government Procurement Policy Board (GPPB).

“At the time, there were procurement issues. So … the reason was a strict compliance of rules and regulations, that’s why we weren’t able to update the system,” he said, but did not elaborate.

The PhilHealth official admitted that the antivirus system “was not updated, so probably that’s whe[n] the hackers came in.”

One of the rules revised last year by the GPPB for procurement involved online subscriptions, including computer software and applications. Under its Resolution No. 05-2022, agencies can directly purchase online items using a credit card as mode of payment, provided that the subscription value does not go beyond P1 million.

He, however, clarified that “incident response” and antivirus systems are currently in place to fix the data breach issue.

‘Sensitive info remains safe’

In a statement clarifying the “urgent public advisory” published in the Inquirer, PhilHealth said on Tuesday night that the cyberattack “did not affect our servers containing members’ private information.”

It insisted that the “membership (data), claims, contribution and accreditation information, which are stored in a separate database are intact.”

The earlier notice was given to the public in compliance with the requirement of the National Privacy Commission to reach people whose sensitive information may have been stolen.

The announcement on Monday implied that the following sensitive information of some members may have been compromised: name, address, birthdate, sex, phone number and PhilHealth identification number.

“The number of data subjects or records involved is still undetermined, but we are working relentlessly to gather all relevant information,” it said in a statement.

It then urged members whose details are deemed safe to still be vigilant and take precautionary measures, namely: monitor credit card transactions; place a fraud alert on credit reports; change the password, especially of financial accounts; and be wary of phishing emails and smishing text messages.

On Sept. 22, PhilHealth shut down its website and online services, including the portal for members and health-care providers, in response to the ransomware attack purportedly carried out by the Medusa group. It threatened to release stolen data and demanded for $300,000 or around P16.8 million.

Motu proprio probe

At the House of Representatives, a Makabayan lawmaker on Tuesday pressed the lower chamber to launch a motu proprio probe of the PhilHealth data breach.

House Assistant Minority Leader Rep. Arlene Brosas said the House information and communications technology panel should investigate the Medusa ransomware attack during Congress’ month-long break. (Kathleen de Villa, Julie Aurelio © Philippine Daily Inquirer)

LEAVE A REPLY

Please enter your comment!
Please enter your name here