University of Mississippi Medical Center Closes Clinics After Ransomware Attack

A ransomware attack has forced the University of Mississippi Medical Center (UMMC) to temporarily close most of its clinics, cancel elective procedures, and shift to manual documentation as IT systems remain offline. 

The incident, detected in the early hours of Feb. 19, 2026, disrupted UMMC’s network, including its EPIC electronic medical record (EMR) platform.

“We continue to work with federal authorities and national experts in cyberattack response as we evaluate the extent of the attack and our next steps. We expect this to be a multi-day event and will communicate helpful information, when available,” said UMMC in its Facebook post.

“The attack clearly demonstrates the absolute necessity of having effective business continuity plans (BCPs) that enable an organization to deliver its most important business services when it loses its main IT systems,” said Tim Rawlins, senior adviser and director of security at NCC Group in an email to eSecurityPlanet.

He explained, “[Healthcare organizations] are generally vulnerable to such attacks, having systems connected to multiple suppliers, staff that are focused on saving lives and not necessarily cyber security, and investment directed towards medical equipment rather than patching and updating IT systems.”

Tim added, “Unfortunately, this is just the latest of a number of attacks on hospitals and medical services firms. They are an easy target for criminals who are not concerned about the impact on human lives.”

Breaking Down the UMMC Ransomware Incident

Ransomware attacks in healthcare environments often begin with relatively routine entry points, such as phishing emails, compromised credentials, or the exploitation of unpatched vulnerabilities. 

Once inside a network, threat actors typically move laterally, escalate privileges, and deploy encryption payloads designed to disable critical systems. 

In hospital settings, this impact is amplified because electronic medical records (EMRs), imaging platforms, pharmacy systems, and clinical scheduling tools are deeply interconnected. 

Disrupting one core system can quickly cascade across multiple areas of patient care.

What Happens When EMR Systems Go Offline

When EMR systems go offline, hospitals must shift to manual workflows. While continuity plans are designed to maintain life-saving care, administrative strain increases and non-emergency services are often delayed or canceled. 

In many ransomware incidents, attackers also attempt to exfiltrate data prior to encryption to enable double-extortion tactics, meaning the absence of confirmed data theft does not necessarily eliminate long-term risk.

Operational Impact at UMMC

At UMMC, Mississippi’s only academic medical center, the operational impact has been significant. The institution treats more than 70,000 patients annually and employs over 10,000 staff. 

Although emergency services and critical care units remain operational, the ransomware attack has disrupted outpatient clinics and elective procedures, including some chemotherapy appointments. 

Mississippi MED-COM, the statewide hospital transfer coordination network, was also affected; however, built-in redundancies allowed patient routing to continue without interruption.

According to UMMC officials, the attack affected the organization’s IT infrastructure, prompting leadership to proactively take systems offline as a containment measure. 

Without access to the EPIC electronic medical record system, clinicians are documenting patient information with pen and paper. 

Bedside monitoring equipment continues to function, but vital data is not currently integrating into centralized digital systems, increasing the operational burden on clinical staff.

Federal Response and Ongoing Investigation

Federal authorities are assisting in the response. 

“At this point in the incident it’s too early for us to communicate what we do and don’t know, but we are in the process of surging resources both locally and nationally into this incident,” said FBI Special Agent in Charge Robert A. Eikhoff at the UMMC press conference. 

UMMC has confirmed that it has made contact with the group responsible for the attack, though it has not disclosed the threat actor’s identity or whether ransom payment is under consideration. 

As of publication, there has been no confirmation of data exfiltration and the incident remains in the early stages of investigation. 

Building Cyber Resilience in Healthcare

Ransomware preparedness in healthcare extends beyond just perimeter defenses and routine patching. 

Because clinical systems are closely interconnected and support patient care, organizations should implement layered controls that reduce the likelihood of intrusion while maintaining operational continuity.  

• Implement zero trust principles, including strong network segmentation, micro-segmentation of clinical systems, and strict least privilege access controls to limit lateral movement.
• Enforce MFA across privileged, remote, and vendor access while hardening Active Directory and monitoring for abnormal authentication activity.
• Maintain timely patch management, continuous vulnerability scanning, and hardened configurations across servers, endpoints, and connected medical devices.
• Deploy EDR tools with real-time behavioral monitoring to detect encryption activity, credential misuse, and suspicious lateral movement.
• Maintain regular, tested, and immutable offline backups to ensure rapid restoration of critical systems, including electronic medical records.
• Develop and rehearse clinical downtime procedures to ensure safe patient care continuity when digital systems are unavailable.
• Integrate ransomware scenarios into vulnerability management programs and regularly test incident response plans with tabletop exercises.

Collectively, these measures help contain ransomware incidents, limit operational blast radius, and strengthen long-term resilience across clinical and IT environments.

Cybersecurity and Patient Care Are Interconnected

As UMMC works to restore systems and assess the full scope of the incident, the disruption serves as another reminder that in healthcare, cybersecurity and patient care are closely intertwined.

Even when core clinical services remain operational, the loss of digital systems can quickly strain workflows and delay treatment. 

For healthcare leaders, ongoing investment in resilient architectures, network segmentation, and regularly tested recovery plans is critical to minimizing operational disruption and protecting patient care.

These realities are driving healthcare organizations to leverage zero-trust solutions designed to continuously verify access and reduce implicit trust across clinical and IT environments.