The government organization that manages the universal healthcare system of the Philippines is facing backlash from lawmakers after it failed to notify more than 42 million people that their health information was leaked during a ransomware attack last fall.

Eli Dino Santos, executive vice president of the Philippine Health Insurance Corporation (PhilHealth), testified at a hearing in the House of Representatives Committee on Appropriations on Monday. He confirmed that the organization has not provided notice about the data leak to each victim as legally required.

A lawyer at the hearing said PhilHealth needed to notify victims within 72 hours of the incident and tell them what data was stolen, how the breach occurred, what risks each individual faces and how people can protect themselves. 

 Rep. Stella Quimbo demanded a status report on the data breach notification effort by Wednesday and asked for PhilHealth to offer a plan for how they will notify victims by the end of the week. 

The government-owned entity provides a national health insurance program for the country’s 114 million citizens. In September 2023, the Medusa ransomware gang attacked the organization and caused weeks of outages.  

PhilHealth claimed at the time that “no personal information and medical information has been compromised or leaked.”

But by October 2023, the government confirmed that the information of 8.5 million senior citizens was stolen during the attack. 

In April, the government created a portal for those affected, where people can enter a 12-digit identification number that is the Filipino equivalent to a Social Security number to see if they may have been impacted. 

That site says 42,089,693 million people had information included in the 430 gigabytes stolen by the ransomware gang. 

The Philippines has faced a barrage of both criminal and nation-state attacks in recent years. 

The government said it repelled cyberattacks by China in February, and a cybersecurity firm said it saw a nearly 325% jump in malicious cyber activity targeting the Philippines during the first months of 2024. Meanwhile, a hacktivist group was found using ransomware to launch “small-scale” attacks on critical infrastructure in the country.