University of Mississippi Medical Center (UMMC)
All 35 clinic locations closed. Epic EHR offline for 9 days. Staff documented patient care by hand.
What happened?
On February 19, 2026, Medusa ransomware hit the University of Mississippi Medical Center. All 35 clinic locations closed. Epic EHR—the electronic health records system—went offline for nine days. Surgeries were cancelled. Imaging was suspended. Staff documented patient care by hand. Some patients were redirected to other facilities. On March 12, Medusa claimed responsibility and demanded $800,000.
What data was actually inside?
The full scope of data exfiltration has not been publicly confirmed. As Mississippi's only academic medical center, UMMC holds patient records spanning decades of care—medical histories, treatment plans, diagnoses, prescriptions, insurance information, and employee records.
Medusa is known for exfiltrating data before encryption. The $800,000 ransom demand suggests they believe they have leverage.
Who gets hurt and how?
Patients first. Surgeries cancelled. Imaging suspended. Care delayed. In healthcare, delay is not neutral—it can mean the difference between catching a cancer early and catching it too late.
Staff worked without electronic records for nine days, increasing error risk. Patients who had records stolen face the standard downstream harms: medical identity theft, insurance fraud, and the permanent exposure of their health histories.
What did they think they were doing right?
UMMC is an academic medical center—presumably with security resources, compliance requirements, and IT staff. They use Epic, one of the largest EHR vendors. They operate under HIPAA. They had security controls in place. The controls were not enough to prevent Medusa from encrypting their entire clinical operation.
What did they not know about their own data?
UMMC didn't know how much of their clinical operation depended on systems that could be taken down simultaneously. They didn't know what data Medusa exfiltrated—they're still determining the scope. They didn't know that their network segmentation, backup strategy, or access controls were insufficient to contain the blast radius.
When 35 clinics go dark at once, it means the architecture allowed a single compromise to cascade everywhere.
What does attribution look like the morning after?
Nine days of manual operations. Every patient visit documented by hand. Every medication order written on paper. Every imaging request processed manually. Then the reconstruction: which records were accessed? Which patients need notification? What did Medusa actually take?
Under HIPAA, UMMC has 60 days to notify affected patients—but first they have to figure out who's affected. That process is ongoing.
What would have changed the outcome?
Knowing what sensitive data lives where—and how connected it all is.
If UMMC had mapped their sensitive data across all 35 clinics and understood the dependencies, they might have caught the architectural weakness before Medusa exploited it. They might have segmented critical systems differently. They might have known, within hours, exactly what was at risk—instead of spending weeks figuring it out.
Don't Learn What You Have From an Attacker
UMMC didn't know what sensitive data was at risk until Medusa showed them. Risk Finder shows you first.
Start Your Risk Assessment