NHS services in England and Scotland hit by global cyber-attack

At least 16 NHS trusts and as many as 74 countries affected as Theresa May confirms ransomware attack is part of wider international incident

The NHS has been hit as part of a global cyber-attack that threw hospitals and businesses in the UK and around the world into chaos.

The unprecedented attacks appeared to have been carried out by hackers using a tool stolen from the National Security Agency (NSA) in the US. They affected as many as 74 countries and at least 16 NHS trusts in the UK, compromising IT systems that underpin patient safety. Staff across the NHS were locked out of their computers and trusts had to divert emergency patients.

As the prime minister, Theresa May, confirmed that the NHS disruption was part of a wider international event, the attack was declared a major incident by NHS England. In Scotland, the first minister, Nicola Sturgeon, chaired a resilience meeting on the issue.

Global cyber-attack: NHS services among victims – live updates Read more

The same malicious software that hit NHS networks attacked some of the largest companies in Spain and Portugal, including phone company Telefónica, and has also been detected on computers in Russia, Ukraine, Taiwan among other countries. The international shipping company FedEx was also affected.

Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 74 countries, mostly in Russia. In a blogpost it added that the totals could be “much, much higher”.

In the UK, computers in hospitals and GP surgeries simultaneously received a pop-up message demanding a ransom in exchange for access to the PCs.

A warning was circulated on Friday within at least one NHS trust of “a serious ransomware threat currently in circulation throughout the NHS”, but the attack proved impossible to stop. Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible, and connections between computers and medical equipment were brought down. Staff were forced to turn to pen and paper and to use their own mobile phones.

Computer security experts suggested that the crisis could reflect weaknesses in the NHS’s cybersecurity. Ross Anderson, of Cambridge University, said the attack appeared to exploit a weakness in Microsoft’s software that was fixed by a “critical” software patch earlier this year but which may not have been installed across NHS computers.

The vulnerability that appears to have been exploited was allegedly discovered and developed by the NSA and then stolen by an online group known as the Shadow Brokers.

“If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?” Anderson said.

Alan Woodward, a visiting professor of computing at the University of Surrey, said the attack appeared to exploit the same problem as the Microsoft vulnerability. He added that the attack’s success “is likely to be because some organisations have either not applied the patch released by Microsoft, or they are using outdated operating systems”.

NHS Digital said it was unable to comment on the suggestion at short notice.

Play Video 0:32 Theresa May: 'This is not targeted at the NHS, it’s an international attack' – video

Last December, it emerged that 90% of NHS computers still run on Windows XP, two and a half years after Microsoft stopped supporting the operating system.

The Patients Association condemned the criminals behind the attack, adding that lessons from earlier incidents had not been learned. “It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems,” it said in a statement.

Infected computers show a message demanding a $300 (£233) ransom per machine to be paid to a Bitcoin wallet address. It says: “Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

“You only have three days to submit the payment,” the message adds. “After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”

NHS Digital confirmed that a “number of NHS organisations” had been affected and refused to confirm or deny reports that put the total as high as 40. “The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” it said. “At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre (NCSC), the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.”

Sixteen NHS organisations were affected as of 3.30pm on Friday, the statement added. However, the NHS has been unable to give a full list of affected sites.

British law enforcement agencies said they believed the attack was criminal in nature, as opposed to a cyber-attack by a foreign power, and was being treated as serious but without national security implications.

One NHS worker, who asked to remain anonymous, said that the attack began at about 12.30pm and appeared to have been the result of phishing. “The computers were affected after someone opened an email attachment – we get a lot of spam and it looks like something was sent to all the trusts in the country. Other hospitals have now been warned not to open these emails – all trusts communicate with each other.”

Another NHS worker, who works at an Essex hospital and also asked to remain anonymous, said her team’s computers went down at about 2pm. “We were told to shut down, take out network cables and unplug the phones,” she said. “A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”

Dr Chris Mimnagh, a GP in Liverpool, said his surgery had “severed links” to the wider NHS network as a precaution. He said: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results. We are dealing with urgent problems only. Our patients are being very understanding so far.”

Lorina Nash, 46, from Hertfordshire, was bringing her mother for an appointment at Lister hospital in Stevenage when systems went down. “We have been here since 12.30pm and the computers were affected at about 12pm – patients are still waiting around but most of the A&E patients have been sent to other hospitals. I have never seen accident and emergency so empty.

Have you been affected by the cyberattack on the NHS? Read more

“They gave my mum a blood test but have had to send her blood to Cambridge by courier for testing. They said it could take two or three hours before it comes back with a result.”

Dr Asif Munaf, a gastroenterologist at Chesterfield hospital, said there was a backlog of patients in its A&E, which he said had been badly affected because it was unable to book new patients on the system.

“From my ward’s point of view we’re not able to make referrals to, for example, psychiatry because they use a different system to us,” he said. “Everything’s getting delayed. Patients who were supposed to go home this afternoon won’t go home until Monday because they now won’t be seen and get a follow-up plan. It’s quite unfortunate for the patients.”

Dr Christopher Richardson, the head of the cybersecurity unit at Bournemouth University, said the process of recovering the NHS’s IT systems would involve a painful and longwinded “deep strip” of affected computers.

“You go down to the basic machine, you take everything off it, you reconfigure it and then you build it back up again,” he said “If you’re talking national health, you’re talking a lot of machines on a single site and you’ve got to get them all because these nasty pieces of malware, they float around, so they only have to remain on one machine and when you reboot it will deliver the same thing again.”

Additional reporting by Sam Jones in Madrid