Singapore's Ministry of Health (MOH) revealed today that a hacker had breached its IT systems and stolen personal and health-related data on roughly 1.5 million citizens.

MOH officials said this was not the work of casual hackers or criminal gangs but a deliberate and well-planned attack that sought to gather health information on the country's prime minister.

"The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines," the MOH said in a statement.

Data stolen for 1.5 million citizens

The hackers were successful in exfiltrating Prime Minister's Lee data. According to MOH, hackers stole data for around 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018.

Officials say the stolen data included details such as name, NRIC number, address, gender, race, and date of birth. For 160,000 patients, the data also included details on dispensed medicines.

Data such as diagnosis details, test results, or doctors' notes, were not stolen. Officials said hackers didn't edit or delete any patient records, but only exfiltrated it to a remote server.

Hackers had been stealing data for eight days when discovered

According to the findings of a preliminary investigation, hackers had breached MOH's systems last month, and had exfiltrated data from June 27 to July 4, when officials discovered the breach.

MOH said it notified law enforcement, secured its network, and will be contacting affected citizens in the coming days.

Protective measures included resetting all user and systems accounts, placing additional controls on workstations and servers, setting up additional system monitoring controls, and temporarily imposing Internet surfing separation.

Intruders believed to be nation-state hackers

While there were some theories online that the hack may be related to the 2018 North Korea–United States summit that took place at the start of June, the incident actually took place after the event, and doesn't appear to be related.

Nonetheless, security experts didn't rule out this attack being the work of a nation-state actor.

"Health records contain information that is valuable to governments and they are often targeted by nation-state threat actors," Eric Hoh, President of Asia Pacific at FireEye, told Bleeping Computer via email today.

"Nation-states increasingly collect intelligence through cyber espionage operations which exploit the very technology we rely upon in our daily lives," he added, suggesting that anyone has at least some value in the eyes of a foreign actor.

"A cyber espionage threat actor could leverage disclosure of sensitive health information, or financial health related vulnerabilities to coerce an individual in position of interest to conduct espionage," he added.

Singapore lauded for fast response

Neither Hoh nor FireEye put forward any theory on which nation-state actor might have been behind the hack. But Hoh did praise Singapore officials for revealing the hack to its citizens and not covering it up.

"Singapore ranks among the leaders in cyber security, and we would like to see more governments follow their lead in disclosing breaches," Hoh said. "Disclosure enables other organizations to take steps to improve their defenses against similar attacks."

The Singapore hack is a happy ending incident. Hoh said that on average, Asia Pacific organizations usually take 498 days before they detect intruders in their networks.

"Against those metrics, this is a relatively fast response," Hoh added.