SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Ransomware
CriticalResolved

University of Perpetual Help Dalta Medical Center

The University of Perpetual Help Dalta Medical Center's servers were infected by Lockbit 3.0 ransomware, causing database unavailability. The NPC ordered the institution to notify all affected data subjects.

November 26, 2022Las Pinas, National Capital RegionUnknown records affected

Key Facts

Date of Incident
November 26, 2022
Date Discovered
November 26, 2022
Records Affected
Unknown
Source
National Privacy Commission
Data Types Exposed
Patient recordsMedical databasesUniversity system data
Response / Action Taken

NPC ordered notification of affected data subjects. Full breach report required within 15 days.

What Happened

On November 26, 2022, the University of Perpetual Help Dalta Medical Center (UPHDMC) was hit by a ransomware attack using the Lockbit 3.0 strain. The attack encrypted the institution's servers, causing their databases to become unavailable.

Lockbit 3.0 is one of the most prolific ransomware variants globally, known for its speed of encryption and double-extortion tactics (threatening to both encrypt and leak stolen data).

How Ransomware Attacks Work

Ransomware like Lockbit 3.0 typically enters an organization through one of three vectors:

  • Phishing emails — a staff member clicks a malicious link or opens an infected attachment, which downloads the ransomware
  • Exposed Remote Desktop Protocol (RDP) — attackers scan the internet for servers with RDP (port 3389) open and use brute-force or stolen credentials to log in
  • Unpatched vulnerabilities — known security flaws in VPNs, firewalls, or web applications that haven't been updated

Once inside, the ransomware spreads laterally across the network, encrypting every system it can reach. Lockbit 3.0 specifically uses a "double extortion" model — encrypting data AND threatening to publish it if the ransom isn't paid.

Impact

The ransomware infection caused:

  • Unavailability of critical databases
  • Disruption to medical center and university operations
  • Potential exposure of patient records and institutional data
  • Need for full incident response and system recovery

NPC Involvement

The National Privacy Commission (NPC) issued a formal order to UPHDMC requiring the institution to:

  • Notify all affected data subjects of the breach
  • Submit proof of notification to the NPC's Compliance and Monitoring Division
  • Submit a full breach report within fifteen (15) days

How to Prevent This

  1. 1.Maintain offline backups (3-2-1 rule) — keep 3 copies of data, on 2 different media types, with 1 copy offline/offsite. Test restoring from backups regularly
  2. 2.Disable RDP or restrict it to VPN-only access — never expose Remote Desktop directly to the internet. If remote access is needed, use a VPN with MFA
  3. 3.Segment your network — separate medical/student systems from staff workstations so ransomware cannot spread from one infected computer to all servers
  4. 4.Deploy endpoint detection and response (EDR) — tools like CrowdStrike, SentinelOne, or the free Microsoft Defender for Endpoint can detect and block ransomware behavior before encryption completes
  5. 5.Patch all internet-facing systems within 48 hours — VPNs, firewalls, and web servers are the first targets. Subscribe to vendor security advisories
  6. 6.Train all staff on phishing recognition — conduct simulated phishing exercises quarterly. Even one untrained employee can be the entry point
  7. 7.Block macro-enabled Office documents — most phishing payloads arrive as Word or Excel files with malicious macros. Disable macros by default via group policy

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    National Privacy Commission — NPC Order: In re University of Perpetual Help Dalta Medical Center (NPC-BN-22-208)
  2. [2]
    Manila Bulletin — Ransomware attacks in the Philippines surge by almost 60% in 2022 — references UPHDMC incident
ransomwareLockbituniversitymedical centerNPC order

Related Incidents

High

Philippine Universities — Canvas LMS Breach

May 6, 2026

High

Romblon State University (RSU)

April 22, 2025

High

De La Salle University (DLSU)

October 9, 2023

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources