Back to Breach Tracker
Ransomware
CriticalResolved

University of Perpetual Help Dalta Medical Center

The University of Perpetual Help Dalta Medical Center's servers were infected by Lockbit 3.0 ransomware, causing database unavailability. The NPC ordered the institution to notify all affected data subjects.

November 26, 2022Las Pinas, NCRUnknown records affected

Key Facts

Date of Incident
November 26, 2022
Date Discovered
November 26, 2022
Records Affected
Unknown
Source
National Privacy Commission
Data Types Exposed
Patient recordsMedical databasesUniversity system data
Response / Action Taken

NPC ordered notification of affected data subjects. Full breach report required within 15 days.

What Happened

On November 26, 2022, the University of Perpetual Help Dalta Medical Center (UPHDMC) was hit by a ransomware attack using the Lockbit 3.0 strain. The attack encrypted the institution's servers, causing their databases to become unavailable.

Lockbit 3.0 is one of the most prolific ransomware variants globally, known for its speed of encryption and double-extortion tactics (threatening to both encrypt and leak stolen data).

How Ransomware Attacks Work

Ransomware like Lockbit 3.0 typically enters an organization through one of three vectors:

  • Phishing emails — a staff member clicks a malicious link or opens an infected attachment, which downloads the ransomware
  • Exposed Remote Desktop Protocol (RDP) — attackers scan the internet for servers with RDP (port 3389) open and use brute-force or stolen credentials to log in
  • Unpatched vulnerabilities — known security flaws in VPNs, firewalls, or web applications that haven't been updated

Once inside, the ransomware spreads laterally across the network, encrypting every system it can reach. Lockbit 3.0 specifically uses a "double extortion" model — encrypting data AND threatening to publish it if the ransom isn't paid.

Impact

The ransomware infection caused:

  • Unavailability of critical databases
  • Disruption to medical center and university operations
  • Potential exposure of patient records and institutional data
  • Need for full incident response and system recovery

NPC Involvement

The National Privacy Commission (NPC) issued a formal order to UPHDMC requiring the institution to:

  • Notify all affected data subjects of the breach
  • Submit proof of notification to the NPC's Compliance and Monitoring Division
  • Submit a full breach report within fifteen (15) days

How to Prevent This

  1. 1.Maintain offline backups (3-2-1 rule) — keep 3 copies of data, on 2 different media types, with 1 copy offline/offsite. Test restoring from backups regularly
  2. 2.Disable RDP or restrict it to VPN-only access — never expose Remote Desktop directly to the internet. If remote access is needed, use a VPN with MFA
  3. 3.Segment your network — separate medical/student systems from staff workstations so ransomware cannot spread from one infected computer to all servers
  4. 4.Deploy endpoint detection and response (EDR) — tools like CrowdStrike, SentinelOne, or the free Microsoft Defender for Endpoint can detect and block ransomware behavior before encryption completes
  5. 5.Patch all internet-facing systems within 48 hours — VPNs, firewalls, and web servers are the first targets. Subscribe to vendor security advisories
  6. 6.Train all staff on phishing recognition — conduct simulated phishing exercises quarterly. Even one untrained employee can be the entry point
  7. 7.Block macro-enabled Office documents — most phishing payloads arrive as Word or Excel files with malicious macros. Disable macros by default via group policy

Sources & References

  1. [1]
    National Privacy Commission NPC Order: In re University of Perpetual Help Dalta Medical Center (NPC-BN-22-208)
  2. [2]
    Manila Bulletin Ransomware attacks in the Philippines surge by almost 60% in 2022 — references UPHDMC incident
ransomwareLockbituniversitymedical centerNPC order