University of Mississippi Medical Center 35 Clinics Shut Down 9 Days by Ransomware

• .What: Ransomware attack encrypted UMMC's network and Epic EHR system, forcing nine-day closure of all 35 statewide clinics and cancellation of surgeries and cancer treatments.
• .Who: University of Mississippi Medical Center - state's only Level 1 trauma center and only children's hospital; 10,000+ employees; seven hospitals; 35 clinics; 70,000+ patients annually.
• .How: Medusa ransomware deployment (initial access vector undisclosed by UMMC; Medusa typically leverages initial access brokers, phishing, compromised RDP, or exploitation of unpatched vulnerabilities such as ScreenConnect CVE-2024-1709 and Fortinet CVE-2023-48788).
• .Data: Medusa claims 1 TB exfiltrated - over 1 million files including patient protected health information (PHI), employee personally identifiable information (PII), student PII, and financial information. UMMC has not confirmed or denied the claim.
• .Actor: Medusa ransomware group (RaaS operation active since June 2021; 500+ claimed victims including 40+ healthcare organizations; subject of CISA Advisory AA25-071A).
• .Impact: 35 clinics closed 9 days. Surgeries, chemotherapy, and elective procedures cancelled. Epic EHR, phone, and email systems offline. Emergency department operated on paper. $800,000 ransom demanded. Recovery estimated at "weeks to months."

• .February 19, 2026 (early hours): Ransomware detected on UMMC network. Epic EHR, phone systems, and email go offline. UMMC activates emergency operations plan within one hour per Mississippi State Department of Health requirements. FBI and DHS alerted.
• .February 19, 2026: UMMC announces closure of all 35 statewide clinics. Emergency department remains open. Kidney dialysis clinic at Jackson Medical Mall remains operational. Staff begin documenting patient care on paper.
• .February 20, 2026: All clinics remain closed. Surgeries, chemotherapy appointments, and elective procedures cancelled. Mississippi MED-COM (statewide hospital transfer coordination network) affected but maintains operations through redundancy systems.
• .February 20-27, 2026: Nine-day shutdown period. Emergency department continues accepting patients using paper-based documentation. Inpatient care continues under downtime procedures with manual order processing. UMMC confirms contact with the attackers but declines to name the group or disclose ransom demands publicly.
• .February 24, 2026: Cybersecurity experts publicly state recovery could take "weeks to months." UMMC remains silent on technical details and negotiations.
• .March 2, 2026: UMMC reopens all 35 clinics. Epic EHR access and phone lines restored. Extended hours offered to accommodate rescheduled appointments.
• .March 12, 2026: Medusa adds UMMC to its dark web leak site. Claims 1 TB of data and over 1 million files exfiltrated. Demands $800,000 ransom with a March 20 deadline. Posts proof-of-claims including samples of allegedly stolen data.
• .March 19, 2026: DataBreaches.net reports negotiations failed. Medusa demanded $800,000; UMMC allegedly offered $550,000. UMMC has not confirmed or denied these figures.
• .March 20, 2026: Medusa's stated deadline passes. As of late March 2026, UMMC has not disclosed the total number of affected individuals or confirmed the scope of data exfiltration.

The attack began in the early hours of February 19, 2026, when ransomware was deployed across UMMC's network.

The malware encrypted critical systems including the Epic EHR platform that UMMC's seven hospitals and 35 clinics depend on for patient records, medication orders, lab results, and clinical documentation. Phone systems and email went down simultaneously.

Within one hour, UMMC activated its emergency operations plan and notified the FBI and Department of Homeland Security.

The operational impact was immediate and severe. UMMC shut down all 35 clinics statewide - the only exception being its kidney dialysis clinic at Jackson Medical Mall, where interrupting treatment would pose immediate life-threatening risk. Surgeries were cancelled.

Chemotherapy appointments were cancelled. Elective procedures were indefinitely postponed.

The emergency department - the only Level 1 trauma center in a state of 2.9 million people - remained open but operated entirely on paper, with staff handwriting patient records, medication orders, and clinical notes.

Mississippi MED-COM, the network that coordinates emergency patient transfers across the entire state, was also disrupted, though built-in redundancies prevented a complete breakdown of the transfer system.

For nine consecutive days, UMMC's outpatient infrastructure was offline. Patients across Mississippi - many in rural areas with no nearby alternative - had appointments cancelled with no timeline for rescheduling.

On March 2, UMMC reopened clinics with access to Epic restored, offering extended hours to work through the backlog.

Ten days after reopening, on March 12, the Medusa ransomware group claimed responsibility. The group posted UMMC on its dark web leak site with proof-of-claims, asserting it had exfiltrated over 1 TB of data comprising more than 1 million files.

The claimed data included patient protected health information, employee PII, student PII, and financial records.

Medusa demanded $800,000 - notably higher than its average healthcare demand of approximately $260,000 - with a deadline of March 20. According to reporting by DataBreaches.net, negotiations occurred but collapsed over the price: Medusa held firm at $800,000 while UMMC allegedly countered at $550,000. As of late March 2026, UMMC has neither confirmed nor denied the data exfiltration claims, and has not disclosed the number of affected individuals.

Medusa is a ransomware-as-a-service (RaaS) operation active since June 2021. Originally a closed operation, it has expanded to an affiliate model where Medusa developers recruit initial access brokers (IABs) through cybercriminal forums to breach target networks, while the core group handles ransom negotiations.

CISA, the FBI, and MS-ISAC issued a joint advisory (AA25-071A) on March 12, 2025, warning that Medusa had impacted over 300 critical infrastructure organizations across medical, education, legal, insurance, technology, and manufacturing sectors.

By early 2026, the group had claimed over 500 victims, including more than 40 healthcare organizations.

Medusa employs a double extortion model - encrypting victim data and simultaneously exfiltrating it, then threatening to publish stolen data on its leak site if payment is not received.

Known initial access techniques include phishing campaigns with credential-harvesting pages or malicious attachments, exploitation of compromised RDP accounts, and exploitation of unpatched vulnerabilities in public-facing applications, notably ScreenConnect (CVE-2024-1709) and Fortinet (CVE-2023-48788).

In a significant escalation, Symantec reported in February 2026 that North Korea's Lazarus Group had begun deploying Medusa ransomware against U.S. healthcare organizations - though no attribution link has been established between Lazarus and the UMMC attack specifically.

Notable Medusa healthcare victims include HCRG Care Group (UK, $2 million demand, February 2025) and SimonMed Imaging (US, 1.27 million individuals affected, January 2025).

The UMMC attack's $800,000 demand is double Medusa's average healthcare ransom of approximately $260,000, likely reflecting UMMC's status as a critical state institution.

Medusa claims to have exfiltrated 1 TB of data comprising over 1 million files. UMMC has not confirmed these claims. Based on Medusa's posted proof-of-claims and reporting from multiple sources, the alleged data includes:

• .Patient protected health information (PHI) - medical records, treatment histories, diagnoses, and associated clinical data. PHI is among the most valuable data on dark web markets because it cannot be changed like a password and enables insurance fraud, identity theft, and targeted scams.
• .Employee personally identifiable information (PII) - names, Social Security numbers, addresses, and employment records for UMMC's 10,000+ workforce.
• .Student personally identifiable information - UMMC is an academic medical center affiliated with the University of Mississippi; student records carry similar identity theft risk.
• .Financial information - billing records, insurance details, and payment data for both patients and employees.

The distinction matters: UMMC serves over 70,000 patients annually, employs over 10,000 people, and trains medical students and residents.

If Medusa's claims are accurate, the breach could affect tens of thousands of individuals whose medical records, Social Security numbers, and financial data are now in the hands of a criminal extortion group - and potentially available for purchase after the failed ransom negotiation.

UMMC has not disclosed the initial access vector or specific technical failures that enabled the attack.

The following analysis is based on Medusa's known tactics, techniques, and procedures as documented by CISA (AA25-071A), the FBI, and security researchers, combined with the observable impact on UMMC's systems.

1. Initial access (vector undisclosed).

Medusa affiliates typically gain entry through one of three methods: phishing campaigns delivering credential harvesters or malware, exploitation of exposed Remote Desktop Protocol (RDP) services, or exploitation of unpatched vulnerabilities in public-facing applications.

UMMC has not identified which vector was used. The speed and scope of the attack - taking down Epic EHR, phones, and email simultaneously - suggests the attackers achieved broad network access before deploying the ransomware payload.

2. Insufficient network segmentation. The simultaneous failure of Epic EHR, phone systems, and email indicates these critical systems shared network infrastructure without adequate segmentation.

A properly segmented environment would have contained the ransomware to the initially compromised segment, preserving clinical systems or communications even if administrative systems were encrypted.

3. Inadequate endpoint detection and response. The ransomware encrypted systems across UMMC's entire network - seven hospitals and 35 clinics - before being detected and contained.

Modern endpoint detection and response (EDR) solutions should identify ransomware encryption behavior within seconds and isolate affected endpoints.

The scope of encryption suggests either EDR was not deployed uniformly, was not configured to block ransomware behavior, or was bypassed.

4. Data exfiltration without detection. Medusa claims to have exfiltrated 1 TB of data - over 1 million files - before deploying the ransomware payload.

Transferring 1 TB of data from a healthcare network should trigger data loss prevention (DLP) alerts, network anomaly detection, or at minimum unusual egress traffic monitoring. The apparent absence of detection suggests insufficient DLP controls and network monitoring.

5. Prior federal findings of systemic security failures. UMMC paid $2.75 million to HHS OCR in 2016 to settle HIPAA violations stemming from a 2013 breach.

That investigation found UMMC had been aware of risks and vulnerabilities since 2005 with "no significant risk management activity" for years, organizational deficiencies, and insufficient institutional oversight.

OCR found ePHI accessible via a generic username and password on UMMC's wireless network. Whether UMMC fully remediated those systemic issues is a critical question that this ransomware attack brings back into focus.

6. Recovery timeline indicates limited resilience planning. The nine-day clinic closure and "weeks to months" recovery estimate suggest UMMC's disaster recovery and business continuity capabilities were inadequate for an attack of this scale.

Organizations with tested offline backups, documented recovery procedures, and pre-staged clean infrastructure can restore critical systems within 48-72 hours.

• .HIPAA (45 CFR Parts 160, 164) - If Medusa's exfiltration claims are accurate, UMMC must notify HHS OCR and all affected individuals within 60 days of discovering the breach (45 CFR 164.408). For breaches affecting 500+ individuals, notification to prominent media outlets in the affected state is also required. HIPAA Security Rule violations (45 CFR 164.312) - including potential failures in access controls, audit controls, transmission security, and integrity controls - carry fines of up to $2.1 million per violation category per year. Given UMMC's 2016 settlement of $2.75 million for prior HIPAA violations, a repeat finding of systemic security failures would significantly increase OCR's enforcement posture. UMMC is already a known entity to OCR investigators.

• .HITECH Act - Strengthens HIPAA enforcement and increases penalties for willful neglect. If OCR determines UMMC failed to implement reasonable security measures despite its prior corrective action plan, penalties escalate.

• .FTC Act Section 5 - Unfair or deceptive practices. If UMMC represented to patients that their data was secure while maintaining inadequate defenses, FTC enforcement is possible, though less common for HIPAA-covered entities.

• .Mississippi Breach Notification Law (Miss. Code Ann. 75-24-29) - Requires notification to affected Mississippi residents "without unreasonable delay" when personal information is compromised. SSN exposure triggers mandatory notification.

• .State Breach Notification Laws (all 50 states) - If affected individuals reside outside Mississippi, UMMC must comply with each state's notification requirements. SSN exposure triggers notification in all 50 states.

• .CISA Reporting - As a healthcare critical infrastructure entity, UMMC's coordination with CISA and the FBI is expected. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will formalize mandatory reporting requirements for covered entities once final rules take effect.

• .Prior OCR Enforcement History - UMMC's 2016 $2.75 million HIPAA settlement included a corrective action plan requiring implementation of specific security controls. If this ransomware attack reveals that those controls were not fully implemented or maintained, OCR could pursue additional enforcement actions with enhanced penalties reflecting repeat non-compliance. A second major breach at an institution already under a corrective action plan is precisely the pattern that triggers OCR's most aggressive enforcement.

1. Network Segmentation for Clinical Systems - Epic EHR, phone systems, and email should operate on isolated network segments with strict access controls between them. Ransomware that compromises administrative systems should not be able to reach clinical EHR infrastructure.

NIST SP 800-82 and the HHS 405(d) Health Industry Cybersecurity Practices (HICP) both mandate segmentation as a core control for healthcare environments.

2. Immutable Offline Backups with Tested Recovery Procedures - UMMC's nine-day outage and "weeks to months" recovery estimate indicate backup and recovery capabilities were insufficient.

Healthcare organizations of UMMC's scale should maintain air-gapped, immutable backup copies of critical systems (particularly EHR databases) with documented and regularly tested recovery procedures targeting restoration within 24-48 hours for critical clinical systems.

3. Endpoint Detection and Response (EDR) with Ransomware-Specific Behavioral Detection - Deploy EDR across all endpoints and servers with real-time detection of encryption behavior, credential dumping, and lateral movement.

Solutions should be configured to automatically isolate endpoints exhibiting ransomware indicators. The scope of encryption across UMMC's network suggests detection either failed or was absent.

4. Data Loss Prevention and Network Egress Monitoring - Implement DLP controls and network monitoring to detect and block large-scale data exfiltration. Transferring 1 TB of data from a healthcare network should trigger automated alerts.

Egress traffic analysis, particularly for connections to known Medusa infrastructure or unusual upload volumes, is essential for organizations holding PHI at scale.

5. Multi-Factor Authentication on All Remote Access and Privileged Accounts - Medusa's documented reliance on compromised RDP credentials and phished passwords means MFA on all remote access points, VPN gateways, and administrative accounts is the single most impactful control to block initial access.

FIDO2 hardware security keys for administrative accounts eliminate the risk of credential phishing entirely.

6. Patch Management for Public-Facing Applications - Medusa affiliates exploit known vulnerabilities in ScreenConnect, Fortinet, and other public-facing applications.

A 72-hour patching SLA for critical and high-severity CVEs on internet-facing systems, combined with external attack surface monitoring, directly addresses this access vector.

HIPAA Journal, NPR, Cybersecurity Dive, Healthcare Dive, BleepingComputer, DataBreaches.net, Mississippi Free Press, Mississippi Today, GovInfoSecurity, Comparitech, The Record, SC Media, HealthExec, CISA Advisory AA25-071A, HHS OCR, Rescana, Aviatrix Threat Research