The 1,100 computers are infected with the Qakbot worm. This monitors compromised computers for information before uploading the data to Qakbot botnet command-and-control servers, said Symantec in a blog post on Thursday.
Symantec has alerted the NHS about the compromised systems, said Cox, which came to light when the company began monitoring two command-and-control servers in March. These are FTP servers that are also infected machines and part of the botnet.
Patient data is unlikely to have been stolen, Symantec security operations manager Orla Cox told ZDNet UK on Friday.
"This is very much a consumer threat," said Cox. "Once it gets into a corporate environment, it looks for consumer data."
Qakbot searches for information such as online banking details, credit card data, social-networking credentials and internet mail credentials, according to the Symantec blog post.
For more on this story, read Over 1,000 NHS desktops part of botnet, says Symantec on ZDNet UK.