LONDON (CNN) — Britain’s National Health Service does not have any evidence that patient data was breached following a ransomware attack, the agency said.
Tens of thousands of ransomware attacks Friday targeted organizations around the world, including 16 that are part of the National Health Service.
“At this stage,” the NHS said, “we do not have any evidence that patient data has been accessed.”
The problem appeared to begin Friday morning, when hospitals in the UK were crippled by a large-scale cyberattack that forced operations to be canceled and ambulances to be diverted.
Health workers reported being locked out of their systems and seeing messages demanding ransom payments to regain access. NHS England described the incident as a “ransomware” attack.
The ransomware, called “WannaCry,” locks down all the files on an infected computer and demands the administrator pay to regain control of them. Victims have six hours to pay before a $300 ransom goes up, one expert said.
The exploit was leaked last month as part of a trove of NSA spy tools.
Hospitals part of global attack
At least 16 organizations connected to the National Health Service in England and an unknown number in Scotland reported being affected.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” officials at NHS Digital said Friday in a statement.
“At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected (organizations) to confirm this.”
Hospitals affected include London North West Healthcare Trust in the capital, University Hospitals North Midlands in central England and York Hospitals in the north.
Scottish officials convened an emergency meeting to deal with the problem, Health Secretary Shona Robison said.
The cyberattack was initially believed to target only hospitals in the UK, but it turned out to be a worldwide attack, British Prime Minister Theresa May said.
“We are aware that a number of NHS organizations have reported they have suffered from a ransomware attack,” May said while out on the campaign trail in the UK. “This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected.”
Cybersecurity firm Avast identified more than 75,000 ransomware attacks in 99 countries. CNN has not independently confirmed that number.
The ransomware attack is at “unprecedented level and requires international investigation,” Europol, the European Union’s law enforcement agency, said on Twitter.
UK Home Secretary Amber Rudd is chairing a government meeting on Saturday that will deal with the cyberattacks, the Prime Minister’s office told CNN.
Appointments canceled, ambulances diverted
NHS Digital said it was working with the government’s National Cyber Security Centre, the Department of Health and NHS England to help the organizations affected “manage the incident swiftly and decisively.” It also said the attack did not specifically target the NHS.
Barts Health NHS Trust in London was “experiencing a major IT disruption and there are delays at all of our hospitals,” its website said.
Barts officials had to cancel routine appointments and divert ambulances to neighboring hospitals, they said, adding that the switchboard at Newham University Hospital also was affected.
The East and North Hertfordshire NHS Trust was “experiencing significant problems with our telephone network,” it said in an online statement.
At two London hospitals, a British medical student found widespread computer issues, he told CNN.
At St. Bartholomew’s Hospital in central London, Sean, who did not want to give his last name, said he noticed problems with the network as soon as he arrived. When he tried to access patient files on a computer, he couldn’t find them — even though he knew they were there. It appeared as if they had been deleted, he said.
The most worrying development concerned problems with the hospital’s referral system, Sean said. The program recommends certain patients for treatment with specialists and has a two-week availability window before the treatment is canceled. The cyberattack, he said, could cause a major backlog in referrals.
At Royal London Hospital, doctors who wanted to access patient scans to use as part of lessons for medical students could not do so, he said.
Malware ‘acts as a worm’
This particular malware emerged in February and has one purpose: “to extort money in return for releasing the data it has encrypted,” said Alan Woodward, a visiting professor of computing at the University of Surrey.
And that’s not the worst of it. “First, there is no guarantee the criminals will release your data,” Woodward said. “And second, even if you do have your data released, there is no guarantee the criminals won’t repeat the exercise.”
The malware “acts as a ‘worm,'” he explained.
“Once inside a network, it seeks out and affects any susceptible computer it can find on the network,” he said. “The only sensible way to tackle it is to ‘pull the plug’ so that it can’t spread any more until you can isolate the affected machines and work out a remediation plan.”
This attack most likely occurred because some hospitals and other affected organizations may not have applied a patch that Microsoft released or were using outdated operating systems that the software giant no longer supports, Woodward said.
“It is a horrible lesson about why using supported software, and keeping that software updated, is so important,” he said.
“The key question” to consider is how an attack such as Friday’s could originate “from a noncritical system such as email” and then spread to other systems, said Awais Rashid, a professor of software engineering at Lancaster University.
“Our society increasingly relies on interconnected systems to deliver key services such as health,” he said.
CNN’s Katie Polglase, Julia Jones, Meera Senthilingam, Joe Sterling, Jessica King and Jeanne Bonner contributed to this report.