PhilHealth Medusa ransomware attack

On 22 September 2023, the Medusa ransomware gang struck the Philippine Health Insurance Corporation (PhilHealth), the government-owned agency that administers universal health coverage for the Philippines. The attack encrypted internal systems, knocked member-facing services offline, and exfiltrated roughly 750 GB of highly sensitive data.

What happened

Medusa is a financially-motivated ransomware-and-extortion operation. After breaching PhilHealth's network, the gang deployed ransomware and stole a massive trove of records before demanding a $300,000 ransom — equivalent to about 17 million Philippine pesos — in exchange for a decryption key and a promise to delete the stolen data.

A subsequent investigation revealed a striking root cause: at the time of the attack, PhilHealth's systems were not protected by antivirus software because the licence had expired and renewal had been delayed by government procurement procedures.

Data exposed

The roughly 750 GB of exfiltrated data included some of the most sensitive categories of personal information a government holds:

Patient medical case files and records
Member billing records and identifiers
Records of rebel returnees under the PAMANA programme
Member records of persons with disabilities (PWD) showing passwords
Indigent and senior-citizen billing records
"Killed in action" and "killed in operation" records

Later reporting indicated the breach may have affected up to 42 million people.

Ransom standoff

The Philippine government, coordinating through the Department of Information and Communications Technology (DICT), publicly refused to pay the ransom, citing both policy against funding criminals and uncertainty that payment would protect victims. When the deadline passed in early October 2023, Medusa began publishing the stolen data on the dark web.

Impact and response

The leak exposed millions of Filipinos — including medical patients and vulnerable groups — to identity theft, extortion and fraud. The National Privacy Commission opened an investigation, and PhilHealth urged members to monitor their accounts and remain alert to phishing. The incident became a national scandal over the state of cybersecurity in Philippine government agencies.

Why it matters

The PhilHealth breach is the Philippines' defining healthcare-sector incident. An expired antivirus licence — a basic, preventable lapse — left a national health insurer's most sensitive records open to a ransomware gang. It exposed chronic underinvestment and procurement-driven delays in government cybersecurity, and it reinforced, at national scale, the principle that critical public-sector data demands sustained, well-funded protection.

Timeline

September 22, 2023

The Medusa ransomware gang attacks PhilHealth, encrypting systems and exfiltrating data; several online services are taken offline.

September 25, 2023

Medusa demands a $300,000 (around 17 million peso) ransom to decrypt and delete the stolen data.

October 5, 2023

The Philippine government, through the DICT and PhilHealth, publicly refuses to pay the ransom.

October 6, 2023

Medusa begins publishing the stolen PhilHealth data on the dark web after the deadline passes.

July 8, 2024

Reports indicate up to 42 million people may have been affected; investigations cite an expired antivirus licence as a contributing factor.

Sources

philstar.comhttps://www.philstar.com/headlines/2023/10/06/2301566/medusa-hackers-release-stolen-philhealth-data

bitpinas.comhttps://bitpinas.com/fintech/philhealth-assures-data/

databreaches.nethttps://databreaches.net/2024/07/08/ph-42-million-people-possibly-affected-by-2023-philippine-health-insurance-cyberattack/

hipaajournal.comhttps://www.hipaajournal.com/lack-of-antivirus-software-behind-philhealth-ransomware-attack/

gulfnews.comhttps://gulfnews.com/world/asia/philippines/philippines-hackers-demand-300k-after-health-insurers-data-compromised-1.1695653631406

Related incidents

RansomwareResolvedNovember 19, 2023

ALAB Laboratoria ransomware data leak

The RA World ransomware gang breached Poland's nationwide ALAB Laboratoria medical-lab network, stealing patient test results and PESEL identity numbers. ALAB refused to pay, and the criminals published sensitive medical data on tens of thousands of patients in what became Poland's largest medical data breach.

Victim: ALAB Laboratoria
Records: 50.0K

RansomwareOngoingApril 21, 2026

Sterimed: internal files published after a cyberattack

On 21 April 2026, French medical-packaging manufacturer Sterimed was claimed by the Qilin ransomware group, which published internal files — technical documents, project data, HR records, IT-security material and system backups — on its dark-web leak site.

Victim: Sterimed

RansomwareContainedApril 6, 2026

YMED (SOONCARE): 253,000 patients exposed, 132 GB of medical data exfiltrated

On 6 April 2026, Bordeaux-based healthcare software publisher YMED, which runs the SOONCARE® appointment platform, was hit by an extortion attack claimed by the group XP95, which exfiltrated 132 GB of data covering 253,342 patients and over 431,000 medical files.

Victim: YMED (SOONCARE)
Records: 253.3K

RansomwareOngoingDecember 10, 2025

Leak at Résidence du Parc (Champdeniers-Saint-Denis)

In December 2025, the EHPAD Résidence du Parc nursing home in Champdeniers-Saint-Denis (Deux-Sèvres, France), home to around 90 residents, was hit by a ransomware attack that encrypted files and dropped a $5 million ransom note; administrative data and possibly scanned ID documents were exposed.

Victim: Résidence du Parc (Champdeniers-Saint-Denis)