THE Department of Information and Communications Technology (DICT) said data on “millions” of members who were exposed in the Philippine Health Insurance Corp. (PhilHealth) data breach could eventually be sold on to scammers after the government refused to pay ransom.

“I would not put it past them for as long as there is an opportunity because they were unable to get ransom from the government… they will try to monetize the information by selling to scammers (and) phishers,” Information and Communications Technology Secretary Ivan John E. Uy said.

The estimate of the number of affected PhilHealth users was given by Undersecretary Jeffrey Ian C. Dy, who was speaking to reporters on the sidelines of the DICT’s Cybersecurity Month 2023 event on Monday. 

“Unfortunately, it is a significant amount — millions. We are 90% done (analyzing the breach) but the numbers could be trimmed down (to eliminate duplicate cases),” he said.

In September, PhilHealth was hit by a ransomware attack, with the hackers demanding $300,000 from the government in exchange for decryption keys to the data that had been held hostage.

Last week, the hackers started publishing personal data including employee records, pictures, payroll details, and hospital bills.

Mr. Uy said about 600 gigabytes of data had been taken from PhilHealth.

He said that the DICT is still looking into the possibility that the hackers had obtained more than the 600 gigabytes as initially estimated.

The DICT is still trying to determine the identity of the hackers behind the attack, Mr. Uy said.

“If these are operating from third countries that are safe havens, we will not be able to pin them down but we can identify them. I think local groups are not as confident because we can pin them down; they are within our jurisdiction,” he said. —  Ashley Erika O. Jose