A PhilHealth service counter. The spectre of uncertainty looms large as PhilHealth battles to ascertain the extent of the data seized by the relentless hackers using the dark web to carry out their nefarious activities. Image Credit: Screengrab

Manila: In a dramatic turn of events, hackers have taken to the “dark web” to expose certain Philippine Health Insurance Corporation (PhilHealth) data after their ransom demand to the government went unmet.

The "data dump", initially revealing PhilHealth employee information, has been a cause of concern here. An official confirmed that the yet-unknown hackers may have released “teasers” on Tuesday (October 3). That may be a prelude to a larger exposure of members' personal information, an official warned.

Preliminary analysis of the published data revealed PhilHealth employees' identification cards, including Government Service Insurance System (GSIS) IDs, according to Undersecretary Jeffrey Dy of the Department of Information and Communications Technology (DICT).

Hospital bills, payroll data exposed

Additionally, copies of employees' payroll information and various details, such as regional office specifics, memos, directives, working files, and hospital bills, have emerged on the dark web.

In terms of personal identifiable information (PII), the official told local media that they saw some IDs, pictures. It’s not immediately clear whether they belong to Philhealth employees, or members.

PhilHealth has an estimated 65.05 million beneficiaries (2022) categorised as direct contributors; indirect contributors comprising of the indigent, senior citizens, and sponsored programmes members had around 39.044 million beneficiaries.

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. It may be used by people wishing to carry out illegal activities online, such as selling weapons or drugs. These kinds of operations, and the websites offering them, are often referred to as Hidden Services (above).

While it is not illegal to visit the dark web, you may face criminal charges if you use the dark web to sell or purchase illegal firearms, drugs, pornography, stolen passwords, hacked credit card account numbers, or other items.

Dark web-based operators have been busted in recent past, In May 2023, a crackdown has halted a major dark web drugs marketplace, with international police arresting 288 suspects and recovering more than 50 million euros ($54.8 million) in cash and virtual currency, according to Europol.

$300,000 demand

Previously, the DICT had reported that cybercriminals sought $300,000 (about 17 million pesos) in exchange for decryption keys, along with the “promise” of deleting and refraining from publishing the illegally obtained data.

The government, however, remains steadfast in its policy of not negotiating with hackers or paying ransoms.

Regarding the security of members' data, both the DICT and PhilHealth have asserted that the members' database — which hold private information, claims, contributions, and accreditation details — remains "intact" as it was not part of the servers affected by the Medusa ransomware attack.


The spectre of uncertainty looms large as PhilHealth battles to ascertain the extent of the data seized by the hackers.

The details contained within the database may have existed on other servers ensnared by the malevolent clutches of hacking.
“It seems the Philhealth workstations and some other servers such as training servers affected by Medusa may have contained these information,” cautioned Dy in a grim revelation.

The state-owned insurer reluctantly emerged from the shadows to provide a chilling clarification, casting a pall of distress throughout the nation.

With trepidation, PhilHealth announced that it believes that the personal data of members had been hacked into.

On Monday night, an urgent notice was unleashed upon the public, a distress call echoing through the digital community, with PhilHealth saying they will notify each victim directly, bearing the ominous burden of a breach that threatens their personal information.