No Antivirus, No Chance - How PhilHealth Handed Medusa the Keys

On September 22, 2023, the Medusa ransomware gang walked into the Philippine Health Insurance Corporation's network and took everything. 730 gigabytes of data. 42 million people's records - membership information, medical histories, personal details. Medusa asked for $300,000 to delete it. PhilHealth didn't pay. So Medusa dumped the whole thing on the dark web.

Here's the part that should make you physically uncomfortable: PhilHealth's antivirus subscription had expired before the attack. Not misconfigured. Not bypassed. Expired. As in, nobody renewed the license.

I've broken into systems protected by multiple layers of security, and it was hard. I've also broken into systems with no security at all, and it was boring. What happened at PhilHealth wasn't a sophisticated attack. It was walking through an open door into an empty house.

What Medusa Found

When an attacker gets into a healthcare organization's network, the first thing they do is figure out what they're working with. What's the network look like? Where's the data? What security tools are running? In PhilHealth's case, that last question had a very short answer: nothing.

No active antivirus means no endpoint detection. No behavioral analysis. No signature matching. No alerts when Medusa started encrypting files. No quarantine when the ransomware payload executed. The attack had no friction whatsoever - from initial access to full encryption to data exfiltration, there was nothing in the way.

The investigation turned up exactly what you'd expect from an organization running without basic protections: poor data governance, inadequate backup strategies, and weak access controls. This wasn't a single point of failure. It was a systemic absence of security fundamentals.

PhilHealth's leadership initially claimed that membership data remained "intact and protected" after they shut down systems. The National Privacy Commission and the Department of Information and Communications Technology told a different story. Conflicting statements from the people who were supposed to be managing the incident - never a good sign.

730 Gigabytes on the Dark Web

The government refused to pay the $300,000 ransom. That's the right call - paying ransoms funds more attacks. But the consequence was predictable. Medusa published the stolen data, and 42 million Filipinos had their sensitive information exposed to anyone willing to browse a .onion site.

The National Privacy Commission analyzed 650 GB of the compressed files from the data dump. Think about the scale of that. Medical records, insurance details, personal identifiers - all of it sitting on dark web forums where it'll be bought, sold, and used for fraud for years to come.

The Philippine government's response was to create a portal where citizens could check if their data was leaked. That's damage control, not security. By the time you're building a "check if you've been breached" website, you've already lost.

Why This Matters to US Healthcare

You're reading this and thinking "we'd never let our antivirus expire." Maybe. But let me ask you a few questions.

Do you know the license renewal date for every security tool in your stack? Not just the big ones - every endpoint agent, every network sensor, every subscription-based threat feed? What about the tools your third-party vendors run on systems that connect to your network?

Do you have visibility into which endpoints actually have active protection right now, today? Not which ones had it installed six months ago - which ones are currently running, currently updated, currently reporting to your management console?

Healthcare organizations run thousands of endpoints. Workstations, nursing stations, medical devices, IoMT sensors, PACS viewers, lab systems. Every one of them is a potential entry point. And in my experience, there's always a subset where the agent crashed and nobody noticed, where the license lapsed on a device that got reimaged, where a legacy system can't run modern endpoint protection at all.

PhilHealth had 65 million beneficiaries. American hospital systems serve similar populations. The attack surface is comparable. The data is equally valuable. And the Medusa group doesn't limit its operations to the Philippines - they hit targets globally.

The Real Lesson Isn't About Antivirus

Let's be honest: antivirus alone wouldn't have stopped Medusa. Modern ransomware groups use living-off-the-land techniques, legitimate remote access tools, and custom payloads designed to evade signature-based detection. Antivirus is necessary but nowhere near sufficient.

The real lesson from PhilHealth is about security fundamentals - the boring, unglamorous work of making sure every layer of defense is actually functioning. Antivirus is just the most visible failure here. The investigation also found weak access controls (how did Medusa move laterally so easily?), poor backup strategies (why couldn't they restore from backups instead of negotiating?), and bad data governance (why was 730 GB of sensitive data accessible from compromised systems?).

Every one of those failures is common in healthcare. I've seen hospitals where domain admin credentials are shared across IT teams. Where backups haven't been tested in months. Where patient data sits on network shares with no access restrictions because "the clinicians need it."

Attackers don't need zero-days when the basics aren't covered. They need one expired license, one unpatched server, one set of reused credentials. That's the entry point. Everything else - the lateral movement, the data exfiltration, the encryption - that's just the follow-through.

Continuous Validation, Not Annual Checklists

PhilHealth presumably had security policies on paper. Somewhere in a binder, there was probably a policy saying antivirus must be installed and maintained on all systems. The gap between policy and reality is where every breach lives.

SecUnit's agents close that gap by continuously validating that your defenses are actually working - not on paper, not in a quarterly audit, but right now. Our offensive validation agent tests your endpoints the way Medusa would: probing for gaps in coverage, checking for expired protections, identifying systems where security tooling isn't responding. Our investigation agent correlates anomalies across your network in real time, catching the lateral movement patterns that ransomware groups depend on. And our remediation agent responds at machine speed - isolating compromised endpoints before the attacker can reach your data.

PhilHealth's antivirus expired and nobody noticed until 730 GB of data was on the dark web. That's not a technology problem. That's a visibility problem. And visibility at the scale healthcare requires can't depend on humans remembering to check a dashboard. Talk to us.