University of Mississippi Medical Center Restores Epic EHR System After Major Ransomware Attack and Nine-Day Clinic Closure

The University of Mississippi Medical Center (UMMC) experienced a significant ransomware attack in late February 2026, resulting in the closure of its clinics statewide for nine days. The attack forced the academic medical center to take its Epic electronic health record (EHR) system offline and restricted access to phone and email communications. While hospitals and emergency departments remained operational using manual downtime procedures, outpatient procedures, ambulatory surgeries, and imaging appointments were canceled. UMMC worked closely with federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), and engaged in direct communication with the attackers. As of March 2, 2026, UMMC clinics have resumed normal operations, with extended hours to accommodate rescheduled appointments. No ransomware group has claimed responsibility, and there is no confirmed evidence of data exfiltration or specific data types compromised as of the latest official statements. The incident underscores the healthcare sector’s vulnerability to ransomware attacks and the operational disruptions such incidents can cause. Sources: https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/, https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/

The ransomware attack on UMMC in late February 2026 exemplifies the persistent threat facing healthcare organizations. The attack led to the immediate shutdown of the Epic EHR system, which is a widely used electronic health record platform, and disrupted access to essential communication channels such as phone and email. The operational impact was severe, with all clinics statewide closed for nine days and critical outpatient services suspended. Hospitals and emergency departments continued to function by reverting to downtime procedures, including paper-based documentation and manual order processing, to maintain continuity of care.

The attack’s technical details remain largely undisclosed. UMMC has not released information regarding the initial access vector, such as whether the attackers exploited phishing emails, remote desktop protocol (RDP) vulnerabilities, or unpatched software. There is also no public disclosure of the specific ransomware family or malware tools used in the incident. The only confirmed technical aspect is that the attack encrypted data and rendered key IT systems inaccessible, a hallmark of ransomware operations.

Direct communication between UMMC and the attackers was confirmed, indicating an active extortion attempt. This is consistent with standard ransomware tactics, where threat actors seek to negotiate ransom payments in exchange for decryption keys or to prevent data leaks. UMMC’s collaboration with the FBI and CISA reflects the seriousness of the incident and the need for coordinated incident response in the healthcare sector.

The attack’s impact extended beyond IT systems, affecting patient care delivery, especially for time-sensitive treatments such as chemotherapy. UMMC prioritized rescheduling these appointments and implemented extended clinic hours upon reopening to address the backlog. The disruption also highlights the sector’s reliance on digital systems and the challenges of maintaining care quality during cyber incidents.

Historically, ransomware groups such as LockBit, BlackCat/ALPHV, and Royal have targeted healthcare organizations using a variety of initial access techniques, including phishing, exploitation of public-facing applications, and RDP brute force attacks. These groups often delay public claims of responsibility to increase pressure during ransom negotiations, a pattern observed in the UMMC incident. However, there is no direct evidence linking this attack to any known group or previous campaign.

The healthcare sector’s vulnerability to ransomware is well-documented. According to a 2024 survey by cybersecurity firm Sophos, only 22% of healthcare organizations fully recovered from a ransomware attack in less than a week, while nearly 40% took more than a month. The UMMC incident, with a nine-day clinic closure, aligns with these industry trends and demonstrates the operational risks posed by ransomware.

Mapping the observed effects to the MITRE ATT&CK framework, the following techniques are likely involved, though direct evidence is lacking:

Initial access may have occurred via phishing (T1566), exploitation of external remote services (T1133), or public-facing application vulnerabilities (T1190), but this is unconfirmed. Execution of the ransomware payload (T1059, T1204) would be necessary to encrypt systems. The primary impact was data encryption for impact (T1486), which is confirmed by UMMC’s statements. Inhibiting system recovery (T1490) and stopping critical services (T1489) are common in ransomware attacks, though not explicitly confirmed here. Command and control (T1071) is supported by UMMC’s acknowledgment of direct communication with the attackers.

The absence of technical indicators such as malware samples, ransom notes, or forensic reports limits the ability to attribute the attack to a specific threat actor or malware family. The incident’s characteristics, including the operational disruption, negotiation pattern, and sector targeting, are consistent with recent ransomware campaigns against healthcare providers.

In summary, the UMMC ransomware attack demonstrates the significant operational and patient care risks posed by ransomware in the healthcare sector. The lack of detailed technical disclosure limits attribution and lessons learned, but the incident reinforces the need for robust cybersecurity controls, incident response planning, and sector-wide collaboration.

Sources: https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/, https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/, https://attack.mitre.org/

The ransomware attack targeted the University of Mississippi Medical Center’s IT infrastructure, specifically impacting the Epic EHR system and associated communication platforms. The attack occurred in late February 2026, with clinics statewide closing on Thursday, February 26, 2026. Hospitals and emergency departments remained operational using manual downtime procedures. Outpatient procedures, ambulatory surgeries, and imaging appointments were canceled during the incident.

UMMC’s clinics remained closed for nine days, reopening on Monday, March 2, 2026, after restoration of access to patient records and communication systems. The timeline is as follows: the attack was detected and clinics closed on February 26, 2026; hospitals and emergency departments continued operations with manual processes; UMMC worked with federal authorities and third-party vendors to restore systems; clinics reopened and resumed normal operations on March 2, 2026, with extended hours to accommodate rescheduled appointments.

No specific software versions or vulnerabilities have been disclosed as the initial access vector or exploited weakness. The attack affected all mission areas, with the patient care mission disproportionately impacted due to loss of access to digital records and communication tools.

Sources: https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/, https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/

The threat activity observed in the UMMC incident is consistent with established ransomware tactics targeting healthcare organizations. The attackers deployed ransomware that encrypted critical systems, including the Epic EHR platform, and disrupted access to phones and email. The operational impact was immediate and severe, forcing the closure of clinics and cancellation of outpatient services.

UMMC confirmed direct communication with the attackers, a common feature of ransomware extortion campaigns. The attackers did not publicly claim responsibility, likely to maintain leverage during ransom negotiations. UMMC engaged with the FBI and CISA to investigate the incident and coordinate response efforts.

There is no public evidence of data exfiltration or specific data types compromised as of the latest official statements. However, ransomware groups frequently threaten to leak sensitive data to increase pressure on victims. The lack of a public claim or data leak does not preclude the possibility of data compromise, but no such activity has been confirmed in this case.

The attack follows a broader pattern of ransomware targeting large, multi-site healthcare providers with critical care functions. UMMC is the fourth Mississippi hospital system targeted by cybercriminals since 2023, indicating persistent threat activity in the region. The healthcare sector’s operational urgency and the high value of medical records make it an attractive target for ransomware groups.

The incident highlights the importance of sector-specific threat intelligence, proactive defense measures, and coordinated incident response to mitigate the impact of ransomware attacks on healthcare organizations.

Sources: https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/, https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/

Mitigation and recovery efforts at UMMC focused on restoring access to critical systems, resuming patient care, and coordinating with law enforcement and cybersecurity experts. The following recommendations are prioritized by severity:

Critical: Healthcare organizations should implement robust, tested backup and recovery procedures for all critical systems, including EHR platforms like Epic. Backups must be stored offline and regularly tested to ensure rapid restoration in the event of ransomware encryption.

Critical: Multi-factor authentication (MFA) should be enforced for all remote access points, including VPNs, RDP, and administrative interfaces, to reduce the risk of unauthorized access.

Critical: Incident response plans must be developed, regularly updated, and exercised through tabletop and live simulations. Plans should include procedures for manual operations (downtime procedures), communication with law enforcement, and patient care continuity.

High: Regular vulnerability assessments and timely patch management are essential to address known software vulnerabilities that could be exploited for initial access.

High: Security awareness training for all staff, with a focus on phishing detection and reporting, is necessary to reduce the risk of social engineering attacks.

Medium: Network segmentation should be implemented to limit lateral movement within the organization and contain the impact of a successful compromise.

Medium: Endpoint detection and response (EDR) solutions should be deployed to monitor for suspicious activity and enable rapid containment of threats.

Low: Participation in sector-specific information sharing organizations, such as the Health Information Sharing and Analysis Center (H-ISAC), can enhance situational awareness and preparedness.

During the incident, UMMC relied on manual downtime procedures to maintain patient care. All healthcare organizations should ensure that staff are trained in these procedures and that necessary supplies (e.g., paper forms) are readily available.

Sources: https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/, https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/, https://attack.mitre.org/

https://www.cybersecuritydive.com/news/university-mississippi-medical-center-ransomware-attack/813507/ https://www.bleepingcomputer.com/news/security/mississippi-medical-center-reopens-clinics-hit-by-ransomware-attack/ https://attack.mitre.org/ https://www.mpbonline.org/blogs/news/cyber-experts-weigh-in-on-ransomware-attack-targeting-ummc/

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks across their vendor ecosystem. Our platform enables healthcare providers and other critical infrastructure organizations to gain visibility into supply chain vulnerabilities, automate risk assessments, and respond rapidly to emerging threats. For questions or further information, please contact us at ops@rescana.com.

• Active Exploitation Alert