Hackers who infiltrated the SingHealth database had specifically searched for Prime Minister Lee Hsien Loong's personal data, using his NRIC number.
He was one of the three people targeted in direct queries made to the database using their NRIC numbers.
The other two were not named but they are not VIPs, according to the testimony of one witness yesterday, the second day of the public hearings to investigate the SingHealth cyber attack.
The hearings are being held before a Committee of Inquiry (COI) convened in private on July 24 to inquire into the events contributing to the breach, which took place between June 27 and July 4.
The four-member COI,headed by former chief district judge Richard Magnus, held its first hearing behind closed doors on Aug 28.
The SingHealth cyber attack - the worst of its kind in Singapore that compromised the personal data of 1.5 million patients - led to the leak of outpatient prescription information of 160,000 people, including PM Lee and several ministers.
During yesterday's hearing, three employees from the Integrated Health Information Systems (IHiS) - an agency which runs the IT systems of public healthcare institutions - gave evidence on what had gone on behind the scenes when the attack was detected.
One of them, Mr Chai Sze Chun, an assistant lead analyst in the IHiS' service delivery division, said a number of queries had been run on the Sunrise Clinical Manager (SCM) database between June 26 and July 8.
Timeline of events
August 2017 to June 2018: The attacker gained an "initial presence" in SingHealth's network in August last year by infecting workstations, and went on to make multiple failed attempts to log in to the database that holds electronic medical records.
June 11 to 14: Ms Katherine Tan, a database administrator with the Integrated Health Information Systems (IHiS), discovered these failed attempts. Ms Tan informed colleagues of her findings since June 11, but did not report them to the security team or her department head. She assumed that colleagues in the applications team would look into the matter.
June 26 to 27: The attacker successfully logged in to the database and began running numerous queries.
June 26 to July 8: Three specific NRIC numbers were targeted through queries. One of these belonged to Prime Minister Lee Hsien Loong. The attacker also ran more general queries, such as one which attempted to retrieve the first 20,000 records of patient demographic data from the Singapore General Hospital.
July 4: Mr Chai Sze Chun, an assistant lead analyst in IHiS' service delivery division, noticed an "unusual query". Ms Tan told him that she had seen similar queries. They realised that someone was trying to access the database through two workstations, and decided to stop the processes whenever they saw these workstations running such queries. No one called to complain that their queries had been terminated.
Some time in July: Mr Chai showed Mr Steven Kuah, his direct superior, an unusual query which was searching for the top 100,000 records from a part of the database. These records contained medical data. "This query would not have been run by anyone in my team," said Mr Kuah in his statement yesterday.
July 10: The Ministry of Health, SingHealth and the Cyber Security Agency of Singapore were informed after investigations confirmed a cyber attack. A police report was made two days later.
July 11: Mr Chan Chee Choong, who works in IHiS' infrastructure services division, reset the passwords for all domain controllers, which handle security authentication for users. Two days later, his team also triggered a password reset for all SingHealth users.
July 20: The public was informed.
This started off as reconnaissance on the database, before the person made direct queries on three NRIC numbers. One of these belonged to PM Lee; the other two belonged to "non-VIPs".
The rest of the queries made were more general and related to patient demographic data, Mr Chai said.
For example, one query sought to retrieve the first 20,000 records of patient demographics from the Singapore General Hospital (SGH).
Giving his testimony yesterday, Mr Chai said that on July 4 he received text messages alerting him to possible performance issues with the SCM database server.
This led him to notice a particular query that had been running for "quite a while" in the database.
The query stopped running, but Mr Chai decided to investigate further. He realised the combination of the program used to run the query, the account used to access the data, and the work station used for the program was "unusual". He said he had not seen queries similar to this one before.
He tried to trace the user who had run the query, but was unable to do so. That same day he sent e-mails to relevant parties about the query.
Mr Steven Kuah, an assistant director in the IHiS' Clinical Care Department and Mr Chai's superior, as well as Mr Chan Chee Choong, manager of the SingHealth Active Directories Team for users in SGH, also testified at the hearing yesterday.
The high-level COI had heard on the first day of the public hearing last Friday that part of the problem leading to the attack was a lack of situational awareness and a tardy response.
Yesterday, Solicitor-General Kwek Mean Luck who has been designated by the Attorney-General to lead evidence in the inquiry, said Mr Chai's statement was among the examples of initiative shown by IHiS staff members.
He said Mr Chai's actual job scope involved ensuring operational efficiency and not cyber security.
"Nevertheless when faced with (this matter) he was alert and showed initiative in investigating this security incident," said Mr Kwek, a Senior Counsel.