SINGAPORE - On July 4, staffers of SingHealth's IT vendor discovered and halted a cyber attack on the public healthcare group.

But it took another six days for them to confirm that personal data and prescription records were stolen.

A reason for the time taken: an employee of Integrated Health Information Systems (IHiS), the agency which runs the IT systems of all public healthcare institutions here, had mistakenly told his colleagues that no data was stolen.

It was not until his superior decided to run some tests during a meeting on July 10 that IHiS found that hackers had stolen data of 1.5 million people and prescription records of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

These details emerged during the testimony of Mr Henry Arianto, IHiS deputy director of product management and delivery in the clinical care department, before a four-member Committee of Inquiry (COI) on Wednesday (Sept 26).

Mr Arianto said one of his staff members had told him on July 9 that the query made by the hackers to the SingHealth database on July 4 - which IHiS had discovered and stopped - did not return any results.

Mr Arianto shared this information during a meeting with several senior IHiS staff on July 9.

He said during the hearing that he was shown at the meeting that some queries had been made since June 27 - the day the data started being stolen from the SingHealth database.

During another meeting the next day, Mr Arianto decided to "double-check" by running one of these queries.

That was when he realised that his staff member had been wrong.

"I discovered that the query, did, in fact, result in data being returned. I cannot recall exactly what the returned result was, but I was shocked, as I had previously been informed... that the query returned no data results," Mr Arianto said.

Later that day, the Cyber Security Agency of Singapore was informed. The Ministry of Health and SingHealth were also told about the attack on that day too. Singaporeans were told about the attack on July 20.

Based on testimony from the witnesses before the COI since last Friday, IHiS cyber security staff held two meetings on July 5 and July 9 after discovering the cyber attack on July 4.

After confirming that data was stolen, IHiS set up a "war room" on July 10 itself to trawl the patient database and to investigate the matter.

Shedding more light on what went on in the war room, Mr Arianto said that on July 11, he tasked the same staff member who had misinformed him earlier to recreate the queries from June 27 to July 4.

It was on this day that IHiS discovered that PM Lee's data had been directly accessed using his NRIC, along with two other people. The COI earlier heard that the other two are not known to be VIPs.

The inquiry continues on Thursday (Sept 27).