PhilHealth’s crisis of its own making
By the standards of the scandal-plagued Philippine Health Insurance Corp. (PhilHealth), P17 million is a paltry sum. That is the peso value of the $300,000 demand of the “Medusa” ransomware group in exchange for not leaking the PhilHealth data it stole over a week ago, in an attack that has crippled our national health insurer’s online systems until yesterday.
But the irony is that paying off the ransom would probably cost our taxpayers less than letting PhilHealth management run our universal health-care system to the ground, given its “incompetence and lack of accountable leadership,” as its own union describes it.
By asking for an amount small enough that the government might consider paying it but still big enough to send a message, this shadowy group named after the snake-headed Greek monster could teach the PhilHealth organization a lesson or two about moderating greed.
Make no mistake about it: We do not condone any payoff to cybercriminals. That would only invite more attacks on our public information technology (IT) systems—a daunting proposition indeed for many agencies that have yet to fully emerge from the stone age.
We agree, fully and categorically, with the policy of the Department of Information and Communications Technology (DICT) “not to pay any ransom for any type of criminal activity, including cyberattacks.”
That said, we contend that the crisis facing PhilHealth today is one of its own making.
Let us recall that in July 2020, at the height of the pandemic, PhilHealth internal auditors flagged its proposed P2.1-billion IT project for overpricing and other problems.
The auditors found that the system, designed to stem fraud and scams devised by corrupt personnel, was itself tainted with irregularity. Computers and other items were overpriced by as much as P98 million, while software priced at P168,000 per unit was listed as P21 million in the proposed budget.
An internal feud over the IT project grew so heated that it reportedly compelled lawyer Thorrsson Montes Keith to quit his post as PhilHealth anti-fraud officer. In August 2020, Keith testified in the Senate that some P15 billion in funds had fattened the wallets of a “syndicate’’ composed of PhilHealth officials and staff, who denied there was such a thing.
That happened a year after the Inquirer published investigative reports about PhilHealth losing P154 billion to various forms of fraud, such as reimbursements for “ghost dialysis,” overpayments, false claims, and “upcasing” of common ailments.
It’s not yet clear whether the recent cyberattack involved any part of the IT project three years ago, but it wouldn’t be surprising if that were the case.
According to PhilHealth, 72 workstations were affected by the Medusa hack, including the corporation’s website, e-claim system, members’ portal, and collection system.
PhilHealth president and CEO Emmanuel Ledesma said the agency took “containment measures” and went on manual mode. But this is now driving fears that PhilHealth would be unable to pay off most, if not all, of its P27-billion debt to health facilities by December.
More alarming, however, is the confirmation from DICT Undersecretary Jeffrey Dy that some of the stolen data are now on the dark web, or the part of the internet where users remain anonymous and untraceable.
In the meantime, authorities are scrambling to track down the perpetrators.
Said Dy: “Do we know the group? Yes … Do we have an international intelligence network that says where they operate? Yes. Is that enough to file charges against certain people? Not yet.”
Some reports suggest that the compromised data include names, addresses, contact details, and medical records of the insured, as well as internal memos by PhilHealth officers. One could well imagine the repercussions of such sensitive information being released online, leaving Filipinos even more defenseless against digital fraud and identity theft.
As recently as July, public health advocate Dr. Minguita Padilla warned in a television interview that PhilHealth’s IT infrastructure was vulnerable to exploits, as its system and portals “don’t speak the same language.”
“Right now it is porous and fragmented yet—porous, easy for leakages, and fragmented, as it’s not yet totally integrated and interoperable,” she said then.
Even more damning for PhilHealth is its union’s statement on Thursday that the universal health-care system is “being held hostage” not by the hackers but by its own leadership.
The Philhealth Workers for Hope, Integrity, Transparency, and Empowerment called the data breach a “mishap bound to happen because safeguards were not prioritized,” revealing that personnel “make do with shared computers, borrowed printers, and lack of basic virus protection.”
All these tell us that the Medusa hacking could have been prevented had PhilHealth’s officials exercised discretion and foresight, except they elected not to, for reasons known only to them.