Full Report
JACKSON, Miss. (WLBT) - Officials are confirming many IT systems, including the electronic medical records system, at the University of Mississippi Medical Center, are down Thursday, following a cyberattack. In a statement, officials said outpatient and ambulatory surgeries and procedures, as well as imaging appointments, have been canceled. Meanwhile, all UMMC clinics across the state are closed. Officials are unable to access the hospital’s electronic medical records. Services are continuing for patients currently there using “downtime procedures.” The hospital employs more than 10,000 people and serves more than 70,000 patients annually. It operates 35 clinics across the state. In a press conference on Thursday, UMMC officials said that they have triggered their emergency operations plans.
Analysis Summary
# Incident Report: UMMC Network Infrastructure Disruption
## Executive Summary
The University of Mississippi Medical Center (UMMC) experienced a major cyberattack that forced the organization to take all IT systems offline, including Electronic Medical Records (EMR). The incident resulted in the closure of 35 statewide clinics and the cancellation of all elective procedures and imaging appointments. UMMC has confirmed direct communication from the threat actors and is currently operating under emergency "downtime procedures" with federal assistance.
## Incident Details
- **Discovery Date:** February 19, 2026
- **Incident Date:** February 19, 2026 (Ongoing)
- **Affected Organization:** University of Mississippi Medical Center (UMMC)
- **Sector:** Healthcare
- **Geography:** Mississippi, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Specific timeframe not disclosed; impacts identified morning of Feb 19.
- **Vector:** Unknown (Experts suggest potential phishing or firewall vulnerability exploitation).
- **Details:** Attackers gained sufficient access to compromise the integrity of the medical center's digital infrastructure.
### Lateral Movement
- **Details:** Evidence suggests movement across the enterprise network, as the primary hospital system and 35 remote clinics were simultaneously affected.
### Data Exfiltration/Impact
- **Impact:** Total loss of access to Electronic Medical Records (EMR).
- **Exfiltration:** Potential compromise of patient demographic data, billing records, and Social Security numbers (investigation ongoing).
### Detection & Response
- **Discovery:** System outages identified by staff on Thursday morning.
- **Response actions taken:**
- Full shutdown of all IT systems as a precaution.
- Activation of Emergency Operations Plan.
- Transition to manual "downtime procedures" for active patients.
- Engagement with FBI, DHS, and CISA.
## Attack Methodology
- **Initial Access:** Undisclosed (Suspected Phishing or Vulnerability Research).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Not disclosed.
- **Collection:** Likely targeting demographic and billing data.
- **Exfiltration:** Confirmed communication received from attackers (indicative of extortion/ransomware tactics).
- **Impact:** System disruption via forced shutdown and EMR unavailability.
## Impact Assessment
- **Financial:** Significant revenue loss due to cancellation of surgeries, imaging, and 35 clinic closures; potential extortion demands.
- **Data Breach:** High risk for PII/PHI (Social Security numbers, billing info, patient history) for over 70,000 annual patients.
- **Operational:** Severe disruption; outpatient surgeries and imaging canceled; EMR inaccessible; transition to paper-based procedures.
- **Reputational:** High public visibility; impact on the state's largest healthcare provider and medical school.
## Indicators of Compromise
- **Network indicators:** None disclosed in current media briefing.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unavailability of EMR systems; direct communication/demands from threat actors to administration.
## Response Actions
- **Containment measures:** Isolation of the entire network by taking all IT systems offline.
- **Eradication steps:** Ongoing investigation by FBI, DHS, and CISA.
- **Recovery actions:** Cancellation of classes/appointments to focus resources on system restoration; implementation of emergency medical protocols.
## Lessons Learned
- **Dependency Risk:** Total reliance on EMR systems creates a single point of failure that can halt statewide clinical operations.
- **Interconnectivity:** The breach highlights how a centralized attack can propagate to remote ambulatory clinics through shared network infrastructure.
- **Communication:** Immediate engagement with federal authorities and public transparency is critical for large-scale public health incidents.
## Recommendations
- **Segmentation:** Implement strict network segmentation between clinical EMR environments and general administrative traffic.
- **Business Continuity:** Regularly audit and drill "downtime procedures" to ensure patient safety when digital tools are unavailable.
- **MFA:** Ensure Multi-Factor Authentication is enforced on all external-facing portals and VPNs.
- **Endpoint Protection:** Deploy Advanced Endpoint Detection and Response (EDR) to identify lateral movement before full encryption/system lockout occurs.