You know what’s fun? Being a patient in Mississippi who needs a follow-up appointment for your diabetes management, or your kid’s respiratory infection, or your cancer monitoring visit. And showing up to find the clinic is closed. Not because of a snowstorm. Not because of a water main break. Because some ransomware gang encrypted the hospital’s servers and nobody can access the Epic electronic health records system.
That’s what happened at the University of Mississippi Medical Center—UMMC—starting last Thursday. According to NPR and Healthcare Dive, all 35 of UMMC’s clinics across the state were shuttered. Elective procedures cancelled. Epic taken offline. Their phone systems compromised. And as of this writing, there’s no confirmed timeline for restoration.
This is one of Mississippi’s largest healthcare providers. Let’s talk about who actually gets hurt when this happens.
What Went Down
UMMC is the state’s only academic medical center. It operates four hospitals in Jackson, Grenada, Madison County, and Holmes County, plus 35 specialty and primary care clinics spread across a state where healthcare access was already brutally inadequate before a ransomware gang showed up. The hospitals themselves were kept open—emergency departments stayed operational. But the clinics? Dark.
The ransomware attack launched on a Thursday. By Saturday, UMMC officially announced all clinics would be closed through at least Tuesday, according to Healthcare Dive. University officials warned the shutdown could continue for days—possibly longer—while they assessed the extent of the attack, determined whether patient data was compromised, and attempted to restore systems they’d proactively taken offline as a containment measure.
The ransomware took out Epic, their electronic health records platform, which in a modern healthcare organization effectively means the entire clinical operation is running blind. No prescription histories. No lab results. No imaging records. No allergy lists. Clinicians can’t safely treat patients without that information—or they can, but it requires paper-based fallback workflows that most healthcare organizations haven’t drilled in years.
At the time of this writing, nobody has claimed responsibility publicly, and UMMC hasn’t confirmed whether patient data was compromised. That confirmation, based on how these things typically go, will come in approximately three to six months when the notification letters start landing.
Mississippi Patients Don’t Have Options
Here’s what makes this breach particularly vicious, and what the trade press mostly glosses over: Mississippi is a healthcare desert. The state ranks last or near-last on virtually every health outcome metric. It has some of the highest rates of diabetes, obesity, cardiovascular disease, and preventable mortality in the country. UMMC is frequently the only specialty care option for patients across enormous swaths of the state.
When 35 clinics close, even for a week, patients don’t just go somewhere else. For many of them, there is nowhere else. Rural Mississippi patients drive two, three hours to get to UMMC’s specialty clinics. They rearranged their work schedules. They arranged childcare. They took a day off from a job that gives them no sick leave. And they showed up to find the doors locked because of ransomware.
This is the human cost that doesn’t show up in the incident report. Nobody counts the diabetic patient whose HbA1c follow-up got delayed three weeks. Nobody counts the cancer patient whose monitoring visit got pushed back. Nobody counts the mental health patient who showed up for their therapy appointment and got turned away.
The criminals who deployed this ransomware either don’t care about any of this, or they specifically targeted a healthcare organization because they knew it would maximize payment pressure. Probably both.
Healthcare Ransomware Has Been Happening for Years. Nothing Changes.
I need to rant about this for a minute because it’s making me genuinely angry.
We’ve known healthcare was a target for ransomware since at least 2016, when Hollywood Presbyterian Medical Center paid $17,000 in Bitcoin to get their systems back. Then MedStar Health. Then Universal Health Services, which got hit with Ryuk ransomware in 2020 and it cost them $67 million. Then Scripps Health. Then Change Healthcare ($22 billion market impact). Then Ascension Health. And now UMMC.
This is not a new problem. There is a decade of documented evidence that ransomware gangs love healthcare, that healthcare organizations are disproportionately vulnerable, and that the operational and human impacts are severe. And yet here we are, in February 2026, watching another major health system take down all their clinics because they got hit with ransomware.
I wrote about the OnSolve CodeRED emergency alert system getting ransomed by INC Ransom—another critical infrastructure provider that treated security as optional. Same pattern. Different sector. The lesson is identical: critical services get targeted precisely because they can’t afford to be offline, and they pay.
The Lazarus Group is now running Medusa ransomware against healthcare (see today’s other post). INC Ransom just hit Air Côte d’Ivoire. BlackCat/AlphV hit Change Healthcare. Clop hit Oracle EBS users. The ransomware ecosystem is healthy, profitable, and growing—because the victims keep paying and the consequences for attackers remain minimal.
What’s Structurally Broken in Healthcare Security
Healthcare organizations face a genuinely difficult security environment. They have to balance:
- Extreme sensitivity of the data they hold
- Life-critical operational uptime requirements
- Regulatory complexity (HIPAA, state laws, FDA for medical devices)
- Budget constraints tighter than virtually any other sector
- A workforce that is trained as clinicians, not security professionals
- Legacy infrastructure that can’t be patched without clinical validation
- Medical devices running operating systems from 2003
I get it. It’s hard. It was always going to be hard.
But “it’s hard” stopped being an acceptable excuse around 2018. The sector has had eight years of increasingly high-profile wake-up calls and has, broadly speaking, not woken up. The American Hospital Association lobbied against proposed mandatory cybersecurity standards in 2024, arguing the industry should self-regulate. And here we are.
The Change Healthcare breach—which impacted 190 million people through a stolen credential that wasn’t MFA-protected—should have been the moment every hospital CEO stood up in front of their board and said “we will now fund security like a critical operational requirement.” Instead, the industry largely moved on.
What UMMC Needed (And What You Need If You’re In Healthcare)
Tested downtime procedures. Not a binder that sits on a shelf. Actual quarterly drills where clinical staff practice operating on paper forms, manually verifying allergies, manually reconciling medications. When ransomware hits and Epic goes down, you need muscle memory, not a panicked scramble.
Network segmentation between clinical and administrative systems. Epic and clinical workstations on isolated network segments, separated from email, finance, and general IT infrastructure. When ransomware hits the administrative network, clinical systems stay up. This isn’t a new concept—it’s basic security architecture that healthcare has been slow to implement because it’s operationally disruptive to deploy.
Offline backup architecture. Immutable, air-gapped backups of Epic data, updated frequently. When everything gets encrypted, you restore from backup instead of negotiating with criminals. Your recovery time objective needs to be measured in hours, not weeks. If your backup strategy hasn’t been tested with a full restoration exercise in the last twelve months, you don’t actually have a backup strategy—you have hope.
Medical device security program. This is the sneaky one. Medical devices—infusion pumps, imaging systems, monitoring equipment—are frequently the entry point for ransomware in healthcare networks. They run outdated OS versions, they often can’t be patched, and they’re usually connected to the clinical network because they need to send data to Epic. You need a medical device inventory, network isolation for devices that can’t be patched, and compensating controls for everything else. Check my post on Man-in-the-Middle attacks in industrial settings for why this kind of unpatched, connected device problem is a structural nightmare.
Phishing-resistant MFA on everything. I know. I keep saying this. I’ll keep saying it until healthcare organizations actually implement it. Change Healthcare didn’t have MFA. UMMC almost certainly had MFA gaps somewhere in their environment. Every remote access point, every admin account, every EHR login. Phishing-resistant MFA—FIDO2, hardware tokens—not SMS codes.
The Fixer’s Final Word
Thirty-five clinics. One ransomware attack. The most vulnerable patients in one of America’s most medically underserved states, turned away at the door.
This isn’t a technology problem anymore. It’s a governance and funding problem. Healthcare executives need to walk into their board meetings and explain—in plain language, with cost estimates, with incident impact modeling—what a ransomware attack costs operationally, reputationally, and legally. And then they need to make the ask for the security budget that actually addresses the risk.
The math isn’t complicated. Ransomware attacks in healthcare cost tens to hundreds of millions of dollars in recovery, regulatory penalties, litigation, and reputational damage. A serious security program—proper segmentation, offline backups, MFA, a real incident response team—costs a fraction of that.
The calculus only works if executives understand the risk. Right now, apparently, they don’t.
Get them in a room. Show them the UMMC news. Show them the Change Healthcare numbers. Then make the budget ask.
