“We are aware that a number of NHS organizations have reported they have suffered from a ransomware attack,” May said, while speaking on the campaign trail in the UK. “This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected.”
The problem appeared to begin Friday morning when hospitals in the UK were crippled by a large-scale cyberattack, which forced operations to be canceled and ambulances to be diverted.
Health workers reported being locked out of their systems and seeing messages demanding ransom payments to regain access. NHS England described the incident as a “ransomware” attack.
At least 16 organizations connected to the National Health Service in England and an unknown number in Scotland reported being affected. “The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” officials at NHS Digital said in a statement.
“At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected (organizations) to confirm this.”
Scottish Health Secretary Shona Robison said officials were convening an emergency meeting to deal with the problem.
Hospitals affected range from London North West Healthcare Trust in the capital to University Hospitals North Midlands in central England and York Hospitals in the north.
In Spain, the government said Friday a similar attack had affected a large number of companies. The firms included telecom giant Telefonica and the power company Iberdrola, Reuters reported.
NHS Digital said it was working with the government’s National Cyber Security Centre, the Department of Health and NHS England to help the organizations affected “manage the incident swiftly and decisively.” It said the attack did not specifically target the NHS.
Barts Health NHS Trust in London was “experiencing a major IT disruption and there are delays at all of our hospitals,” its website said.
It had to cancel routine appointments and ambulances were being diverted to neighboring hospitals, Barts said.
The problem also affected the switchboard at Newham University Hospital, Barts said.
The East and North Hertfordshire NHS Trust also was “experiencing significant problems with our telephone network,” it said in an online statement.
A British medical student found widespread computer issues when visiting two London hospitals Friday.
At St. Bartholomew’s Hospital in central London, Sean, who did not want to give his last name, said he noticed problems with the network as soon as he arrived. When he tried to access patient files on a computer, he couldn’t find them — even though he knew they were there. He told CNN it appeared as if they had been deleted.
The most worrying development concerned problems with the hospital’s referral system, Sean said. The program recommends certain patients for treatment with specialists and has a two-week availability window before the treatment is canceled. The cyberattack, he said, could cause a major backlog in referrals.
At Royal London Hospital, doctors who wanted to access patient scans to use as part of lessons for medical students could not do so, he said.
Security experts are still trying to get their arms around the problem.
According to Alan Woodward, a visiting professor of computing at the University of Surrey, this particular malware emerged in February, and it has one purpose: “to extort money in return for releasing the data it has encrypted.”
And that’s not even the worst of it.
Woodward warned there are two problems. “First, there is no guarantee the criminals will release your data,” he said, “and second, even if you do have your data released, there is no guarantee the criminals won’t repeat the exercise.”
He said most likely it occurred this time because some of the hospitals and other organizations affected may not have applied a patch that Microsoft released or they are using outdated operating systems no longer supported by the software giant.
Woodward said the malware “acts as a ‘worm.’ “
“Once inside a network it seeks out and affects any susceptible computer it can find on the network,” he said. “The only sensible way to tackle it is to ‘pull the plug’ so that it can’t spread any more until you can isolate the affected machines and work out a remediation plan.”
He added, “It is a horrible lesson about why using supported software, and keeping that software updated, is so important.”
Awais Rashid, a professor of software engineering at Lancaster University, said “the key question” to consider is how an attack such as Friday’s could originate “from a noncritical system such as email” and then spread to other systems.
“Our society increasingly relies on interconnected systems to deliver key services such as health,” he said.
CNN’s Katie Polglase and Jeanne Bonner contributed to this report.