Like thieves breaking into a house through a window, cyber attackers entered SingHealth's IT system through an Internet-facing workstation.
Their top goal: Prime Minister Lee Hsien Loong's medical details.
As they ransacked the system for data on PM Lee, the thieves also stole the personal data of some 1.5 million patients.
What aided the hackers' plans was that they did not just look for things to steal once they entered the system - they also planned ahead. In the week prior to being discovered on July 4, they had stolen log-in credentials, covered their tracks and probed for more entry points.
These entry points became windows through which other attackers could enter. These meant that when the initial attack was detected and halted, the threat did not stop.
Using the analogy of thieves breaking into a house, Cyber Security Agency of Singapore (CSA) chief executive David Koh said yesterday: "The first time they got in through the window of the storeroom, they managed to get their way upstairs and they managed to steal things.
"So, we threw them out and locked the window in the storeroom. Then the next moment, we found them in the kitchen. If you put this into perspective, this is the level of sophistication we are dealing with."
Mr Joseph Gan, president and co-founder of security solutions firm V-Key, said that this was the work of a dedicated cyber attacker.
"An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network," said Mr Gan.
Giving details about the breach at a press conference yesterday, the CSA said unusual activity was first detected on July 4. By then, the hackers had stolen log-in credentials, covered their tracks and probed for more entry points.
Upon detection, security measures such as the blocking of dubious connections and the changing of passwords were taken to thwart the hackers.
Even though the hackers continued to make repeated attacks on different fronts to gain access to the database, increased monitoring and stepped-up precautionary action resulted in no further data leak from July 4.
For instance, SingHealth reset its network servers and forced all employees to reset their passwords.
All patient records in Sing-Health's IT system remain intact, and there has been no disruption of healthcare services.
No record was tampered with and no other patient records such as diagnosis, test results and doctors' notes were breached.
On July 10, the Health Ministry, SingHealth and CSA were informed after forensic investigations confirmed that it was a cyber attack.
A police report was made on July 12, and investigations are ongoing.
Experts largely agree the attack was likely state-sponsored.
"Health records contain information that is valuable to governments, and they are often targeted by nation-state threat actors," said Mr Eric Hoh, cyber-security specialist FireEye's Asia-Pacific president.
"Nation-states increasingly collect intelligence through cyber espionage operations which exploit the very technology we rely upon in our daily lives," he added.
Mr Leonard Kleinman, cyber-security firm RSA's Asia-Pacific chief cyber security adviser, said that medical data contains a trove of information from personally identifiable data to financial details.
"They can be used to create a highly sought-after composite of an individual," he added.
In the wake of the breach, SingHealth yesterday started to impose a temporary Internet surfing separation on all of its 28,000 staff's work computers.
Other public healthcare institutions are expected to do the same at the weekend.
