Full Report
The University of Mississippi Medical Center (UMMC) says it has resumed normal operations, nine days after a ransomware attack blocked access to electronic medical records and took down many of its IT systems. [...]
Analysis Summary
# Incident Report: University of Mississippi Medical Center Ransomware Attack
## Executive Summary
The University of Mississippi Medical Center (UMMC) experienced a major ransomware attack that disrupted healthcare operations for nine days. The incident blocked access to electronic medical records (EMR) and forced the cancellation of outpatient procedures and imaging appointments statewide. UMMC successfully restored systems and resumed normal operations through the use of downtime procedures and technical recovery efforts, coordinated with federal authorities.
## Incident Details
- **Discovery Date:** Thursday, February 26, 2026 (approximate based on reporting)
- **Incident Date:** Late February 2026
- **Affected Organization:** University of Mississippi Medical Center (UMMC)
- **Sector:** Healthcare
- **Geography:** Mississippi, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately late February 2026.
- **Vector:** Not disclosed in the initial report.
- **Details:** Criminal intruders gained access to the UMMC network, leading to the deployment of ransomware.
### Lateral Movement
- **Details:** Attackers moved through the network to target critical infrastructure, including the Electronic Medical Record (EMR) system and various IT services across clinical and administrative segments.
### Data Exfiltration/Impact
- **Data/Impact:** Ransomware encrypted systems, blocking access to patient records. While hospital services continued under manual "downtime procedures," outpatient services, ambulatory surgeries, and imaging were suspended.
### Detection & Response
- **Discovery:** Staff identified the intrusion following system failures and encryption messages.
- **Response Actions:** The Division of Information Systems initiated a containment and recovery plan. UMMC engaged with the FBI, CISA, and third-party specialists. Clinics were closed for nine days before a phased reopening.
## Attack Methodology
- **Initial Access:** Unknown (under investigation).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of ransomware to obfuscate data and impede standard operations.
- **Credential Access:** Not disclosed.
- **Discovery:** Target identified as a major healthcare provider and Level I trauma center.
- **Lateral Movement:** Not disclosed.
- **Collection:** Likely targeted patient databases and administrative file shares.
- **Exfiltration:** Unknown (investigation ongoing to determine if patient data was stolen).
- **Impact:** Data Encrypted for Impact (T1486); Service Denial.
## Impact Assessment
- **Financial:** Significant costs expected from remediation, lost revenue from canceled appointments, and potential legal/regulatory fines.
- **Data Breach:** Compromise of EMR access; external exfiltration status remains under investigation.
- **Operational:** Severe disruption; 9-day closure of outpatient clinics statewide; cancellation of elective surgeries and diagnostic imaging.
- **Reputational:** High public visibility due to UMMC’s status as the state’s only Level I trauma center and children's hospital.
## Indicators of Compromise
- **Network indicators:** No specific command-and-control (C2) IPs disclosed in the initial public statement.
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Sudden loss of access to EMR systems; presence of ransom notes communicating with UMMC administration.
## Response Actions
- **Containment measures:** Isolation of infected systems and shutdown of network segments to prevent further spread.
- **Eradication steps:** Forensic investigation assisted by FBI and CISA to identify the scope of the intrusion.
- **Recovery actions:** Restoration of patient record access; rescheduling of missed appointments; adoption of extended clinic hours to manage the backlog.
## Lessons Learned
- **Key takeaways:** High-availability EMR access is critical for patient care missions; downtime procedures are essential for maintaining hospital environment safety during a total IT failure.
- **What could have been done better:** Earlier detection of unauthorized network movement might have prevented the full-scale encryption of the EMR system.
## Recommendations
- **Prevention measures:**
- Implement Multi-Factor Authentication (MFA) across all remote access points.
- Enhance network segmentation between clinical EMR environments and administrative systems.
- Maintain air-gapped backups of critical patient data to ensure rapid restoration without negotiating with threat actors.
- Conduct regular ransomware simulation exercises for both IT and clinical staff.