The Philippines’ state health insurer didn’t have cyber protection software when hackers attacked its computers, giving criminals access to the data of millions of its citizens and triggering calls for an extensive cybersecurity audit.

While the full extent of the breach has yet to be determined, the Philippine Health Insurance Corp. has warned its over 36 million members — around a third of the country’s population — that their data may have been compromised.

The lapse, partly caused by a change in procurement processes, adds to a series of attacks on Philippine government agencies that has highlighted the Southeast Asian nation’s vulnerability to cybersecurity threats.