On July 4, staff of SingHealth's IT vendor discovered and halted a cyber attack on the public healthcare group. But it took another six days for them to confirm that personal data and prescription records were stolen.
A reason for the time taken: An employee of Integrated Health Information Systems (IHiS), the agency that runs the IT systems of all public healthcare institutions here, had mistakenly told his colleagues that no data was stolen.
It was not until his superior ran some tests at a July 10 meeting that IHiS found that hackers had stolen the data of 1.5 million people and prescription records of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
These details emerged during the testimony of Mr Henry Arianto, IHiS deputy director of product management and delivery in the clinical care department, before a four-member Committee of Inquiry (COI) yesterday.
Mr Arianto said one of his employees told him on July 9 that the query made by the hackers to SingHealth's database on July 4 - which IHiS discovered and stopped - did not return any results. Mr Arianto shared this information at a July 9 meeting with several senior IHiS staff.
During the hearing, he said he was shown at the meeting that some queries had been made since June 27 - the day the data started being stolen from the database.
During another meeting on July 10, Mr Arianto decided to "double-check" by running one of these queries. That was when he realised his staff member had been wrong.
"I discovered that the query did, in fact, result in data being returned. I cannot recall exactly what the returned result was, but I was shocked, as I had previously been informed... that the query returned no data results," Mr Arianto said.
Later that day, the Cyber Security Agency of Singapore was informed of the attack, as were the Health Ministry and SingHealth. Singaporeans were told on July 20.
Based on testimony from the witnesses before the COI since last Friday, IHiS cyber-security staff held two meetings on July 5 and July 9 after discovering the cyber attack on July 4. After confirming that data was stolen, IHiS set up a "war room" on July 10 to trawl the patient database and to investigate the matter.
Shedding more light on what went on in the room, Mr Arianto said that on July 11, he tasked the same staff member who had misinformed him earlier to recreate the queries from June 27 to July 4.
It was on this day that IHiS discovered that PM Lee's data had been directly accessed using his NRIC, along with that of two other people. The COI earlier heard that the other two are not known to be VIPs.
The inquiry continues today.