The stolen data included patients' name, national identification number, address, gender, race, and date of birth.
The affected users are patients of SingHealth, which is the country's largest group of healthcare institutions comprising 42 clinical specialties, four public hospitals, five speciality centres, nine polyclinics, as well as three community hospitals.
The "deliberate, targeted and well-planned", attack aimed at patients who visited clinics between May 2015 and July 4 this year, the health ministry said in a statement. Of these, 160,000 had their outpatient dispensed medicines' records taken, including Prime Minister Lee Hsien Loong's.
"The Minister-in-Charge of Cyber Security will establish a Committee of Inquiry to conduct an independent external review of this incident", the statement concluded.
Singapore's Ministry of Health (MOH) revealed today that a hacker had breached its IT systems and stolen personal and health-related data on roughly 1.5 million citizens. Gan said, "We are deeply sorry this has happened".
Paul Ducklin, Sophos" senior technologist, said: "The data stolen in this breach is an identity thief's goldmine.
According to the statement, SingHealth lodged a police report on 12 Jul 2018 and police investigation is ongoing.
The hackers first broke into SingHealth's IT system via a front-end workstation, and later managed to obtain log-in details to assess the database, according to CSA's investigations.
The data was later found to have been stolen over a one-week period from June 27 to July 4, though database administrators at the Integrated Health Information Systems (IHiS), the Health Ministry's IT arm, did not detect signs of unusual activity until July 4.
SingHealth has imposed a temporary Internet surfing separation on all of its 28,000 staff's work computers.
But authorities have put the brakes on these plans while they investigate the cyberattack.
Prime Minister Lee said in a Facebook post that he did not know what information the attackers were hoping to find. Security measures, including the blocking of dubious connections and changing of passwords, were taken to thwart the hackers.
Major cyber attacks have been rare in Singapore, which has invested heavily in cyber security over the past decade.
"All patient records in SingHealth's IT system remain intact", MOH and MCI said.
In addition, some 150,000 patients who did not register their mobile numbers with SingHealth will receive letters informing them about whether they are affected within a week. "Singapore ranks among the leaders in cybersecurity, and we would like to see more governments follow their lead in disclosing breaches", he said in a statement.
Despite that, Mr Lee said: "We can not go back to paper records and files".