Ransomware attack on Palau's health ministry compromised citizens' medical records

The health ministry of the Republic of Palau, an island country in the Western Pacific Ocean, said it experienced a data security incident that compromised the sensitive personal information of the archipelago’s residents.

 

The island country is composed of over 500 islands and forms part of the Micronesia subregion of Oceania. With a population of approximately 18,000 people, it is located 2,500 kilometres to the north of Indonesia and approximately 1,500 kilometres south-east of the Philippines. 

 

In a recent data security incident notice posted on Facebook, the Ministry of Health and Human Services (MHHS) said that on February 17, it was a victim of a ransomware attack. The ministry immediately launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident.

 

The investigation determined that patient data of Belau National Hospital, which is administered by MHHS, was accessed during the attack. The compromised data included billing summaries for patients seen at the hospital between 2018 and 2022, hospital numbers, names, addresses, telephone numbers, dates of birth, diagnosis and procedure information.

 

MHHS has confirmed that payment information such as credit card numbers were not stored by the ministry and wasn’t compromised during the incident.

 

“Based on the kind of information that has been stolen, MHHS and its cyber advisors do not perceive any significant impact to the security of individual Palauans. However, MHHS recommends that all Palauans remain vigilant against potential fraud and/or phishing emails that may attempt to use this incident as a means of getting you to release personal information. MHHS will not contact individuals to discuss this issue,” reads the notice.

 

Last month, the infamous Qilin ransomware group claimed responsibility for the cyber attack on MHHS and listed it as a victim of its data leak site.

 

 

The group claimed that it gave the health ministry a deadline of February 27 to pay a ransom, threatening to leak the stolen data if the demand wasn’t met. The group has now made the data available on its dark web portal, suggesting failed negotiations or a lack of interest from the ministry to engage.