Full Report
A devastating cyberattack using ransomware hit the University of Mississippi Medical Center Thursday morning, bringing down its IT network and forcing the university to temporarily close its clinics and cancel appointments and surgeries all over the state due to the outage. LouAnn Woodward, vice chancellor for health affairs and dean of the School of Medicine,…
Analysis Summary
# Incident Report: University of Mississippi Medical Center Ransomware Attack
## Executive Summary
On the morning of Thursday, February 19, 2026, the University of Mississippi Medical Center (UMMC) fell victim to a devastating ransomware attack that paralyzed its statewide IT infrastructure. The incident forced the immediate closure of dozens of clinics and the cancellation of all non-essential surgeries and appointments. UMMC has activated its emergency operations plan to maintain patient safety while attempting to recover critical systems, including its electronic medical records (EMR).
## Incident Details
- **Discovery Date:** Thursday, February 19, 2026
- **Incident Date:** Thursday, February 19, 2026
- **Affected Organization:** University of Mississippi Medical Center (UMMC)
- **Sector:** Healthcare
- **Geography:** Mississippi, United States (Statewide impact)
## Timeline of Events
### Initial Access
- **Date/Time:** Early morning, Thursday, Feb 19, 2026.
- **Vector:** Not explicitly disclosed (Commonly phishing, RDP exploits, or unpatched vulnerabilities in healthcare).
- **Details:** Attackers gained enough access to deploy ransomware across the University’s central network.
### Lateral Movement
- **Details:** Attackers successfully traversed the network from the initial entry point to critical healthcare systems, including the "EPIC" electronic medical record system, impacting all medical center locations across the state.
### Data Exfiltration/Impact
- **Impact:** Encryption of critical servers and databases. The primary impact noted is the total unavailability of the IT network, preventing access to patient files and scheduling systems.
### Detection & Response
- **Detection:** Discovered early Thursday morning when IT staff identified system failures and network outages.
- **Response:** UMMC leadership, led by Vice Chancellor LouAnn Woodward, triggered the organization’s "Emergency Operations Plan."
## Attack Methodology
- **Initial Access:** [Unknown/Not Disclosed]
- **Persistence:** [Unknown/Not Disclosed]
- **Privilege Escalation:** Likely used to gain administrative control over the EMR environment.
- **Defense Evasion:** [Unknown/Not Disclosed]
- **Credential Access:** [Unknown/Not Disclosed]
- **Discovery:** [Unknown/Not Disclosed]
- **Lateral Movement:** Demonstrated by the attack spreading from the IT network to clinical systems (EPIC).
- **Collection:** [Unknown/Not Disclosed]
- **Exfiltration:** [Unknown/Not Disclosed]
- **Impact:** Encryption of data; System Shutdown (Ransomware).
## Impact Assessment
- **Financial:** Significant loss of revenue due to canceled surgeries and clinic closures; unidentified costs for remediation and potential ransom demands.
- **Data Breach:** Compromise of EPIC (Electronic Medical Records) system; specific volume of patient data exfiltrated is currently unconfirmed.
- **Operational:** Massive disruption; statewide clinics closed, and surgeries/appointments canceled until further notice.
- **Reputational:** High-profile public incident affecting healthcare delivery across the entire state of Mississippi.
## Indicators of Compromise
- **Network indicators:** None provided in the initial press release.
- **File indicators:** None provided in the initial press release.
- **Behavioral indicators:** Sudden, widespread loss of access to EPIC EMR; "Account Locked" or "System Offline" errors across statewide workstations.
## Response Actions
- **Containment measures:** Isolation of infected segments of the IT network.
- **Eradication steps:** Initiation of emergency operations protocols to move clinical work to manual/paper processes where possible.
- **Recovery actions:** Assessing backups to determine the feasibility of system restoration without paying a ransom.
## Lessons Learned
- **Criticality of EMR:** The outage highlights that a modern hospital cannot function effectively without its EMR (EPIC); downtime procedures must be robust.
- **Single Point of Failure:** The centralized nature of the IT network allowed a single attack to impact dozens of clinics statewide simultaneously.
## Recommendations
- **Network Segmentation:** Implement strict segmentation between administrative IT networks and clinical EMR environments (EPIC).
- **Immutable Backups:** Ensure offline, immutable backups of medical record databases are tested and ready for rapid restoration.
- **MFA Implementation:** Ensure Multi-Factor Authentication is enforced on all remote access points and internal privileged accounts.
- **Incident Response Drills:** Conduct regular "tabletop" exercises specifically for ransomware scenarios involving patient care disruption.