On the morning of February 19, 2026, staff at the University of Mississippi Medical Center showed up to work and found their computers useless. The EPIC digital health record system — the backbone of patient care across one of the largest hospital networks in the South — was down. Within hours, UMMC announced it was closing all 35 of its outpatient clinics statewide. Elective surgeries were canceled. Telehealth appointments across more than 200 sites went dark.
Doctors pulled out paper forms they hadn’t touched in years. Emergency rooms stayed open, but nurses were logging vitals by hand. Mississippi’s only academic medical center — serving one of the nation’s poorest and sickest populations — had been brought to its knees by a ransomware attack.
This wasn’t a small community clinic. UMMC runs seven hospitals, employs over 10,000 people, and is the largest employer in the state of Mississippi. If ransomware can shut them down, it can shut down anyone.
What Happened During the UMMC Cyberattack
The attack hit sometime in the early hours of February 19. By the time staff arrived, the damage was done. UMMC’s IT network was compromised, EPIC was offline, and the hospital activated its Emergency Operations Plan.
Vice Chancellor Dr. LouAnn Woodward confirmed the obvious: attackers made financial demands. UMMC made contact with the group behind the attack, though the hospital hasn’t named the ransomware gang or said whether it considered paying.
The FBI, the Department of Homeland Security, and CISA were all called in. That’s not a sign things are going smoothly — it’s a sign the attack was serious enough to require federal resources.
By February 25 — a full week after the attack — clinics were still closed and elective steps were still canceled. Recovery efforts focused on restoring the EPIC servers that manage patient data, scheduling, and clinical written records. Cybersecurity experts who analyzed the situation were blunt: expect weeks to months of full recovery. Complete system restoration after an attack this severe can take six months to a year.
For Mississippi’s most at risk patients — children with complex conditions, dialysis patients, rural residents who drove hours for specialist appointments — that’s not an inconvenience. That’s a healthcare crisis. UMMC set up an automated triage line at (601) 815-0000 for patients with urgent needs like prescription refills.
Why Healthcare Is the #1 Target for Ransomware Attacks
Ransomware gangs target healthcare for two specific reasons.
First, medical records are worth more on the black market than almost any other data type. A stolen Social Security number sells for a few dollars. A complete medical record — with insurance information, diagnoses, Social Security number, and personal details — can fetch $250 to $1,000 per record. That’s why healthcare breaches doubled in 2025 even as other industries saw declines.
Second, hospitals and clinics can’t afford downtime. A retailer that gets hit can survive being offline for a few days. A dialysis clinic cannot. An oncology practice cannot. Attackers know this, and they set their ransom demands as needed. In 2025, the average healthcare ransomware demand hit $343,000, and attacks against the sector surged 58% year-over-year.
The FBI has written down a consistent pattern: healthcare has been the most-attacked industry for five consecutive years. And attackers are increasingly targeting smaller habits — the ones with weaker security postures and no dedicated IT teams.
The Uncomfortable Truth: UMMC Had More Resources Than Your Practice
Here’s what makes this story terrifying for small habits. UMMC is a state-funded academic medical center with a dedicated IT department, cybersecurity staff, federal contracts, and pre-existing relationships with FBI and CISA. They had an Emergency Operations Plan ready to activate. They had written down downtime steps.
And they still lost their entire EHR system for over a week — with full recovery projected to take months.
Your practice, if you’re a small-to-midsize operation, almost certainly has fewer resources. Less IT staff. No pre-existing relationship with federal cybersecurity agencies. Probably a thinner incident response plan, if you have one at all.
That’s not a criticism. It’s the reality of healthcare in 2026. The same weak spots that took down UMMC exist in clinics everywhere — and the attackers know exactly which targets are easier.
How to Protect Your Healthcare Practice from Ransomware
The UMMC attack is sobering, but it’s not a reason to freeze. It’s a reason to get specific about your defenses. Here’s what actually moves the needle.
1. Conduct a Real HIPAA Risk review
This isn’t a checkbox exercise you hand to a consultant and forget about. A proper HIPAA Security Rule risk review identifies exactly where your ePHI lives, who can access it, and what would happen if your systems went offline today.
Most OCR enforcement actions in 2025 traced back to inadequate risk analysis. The new HIPAA Security Rule will require these reviews every 12 months. Getting ahead of that rule protects you twice — from attackers and from regulators.
2. Test Your Backups Using the 3-2-1 Rule
Having backups is not the same as having working backups. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy stored offsite and air-gapped (completely disconnected from your network).
UMMC’s situation would have been dramatically different if they could restore from a clean, verified backup within hours. Your last backup should be recent, your restoration process should be tested quarterly, and your offsite copy should be something ransomware can’t reach and encrypt.
3. Implement Multi-Factor login checks (MFA) Everywhere
MFA is about to become mandatory under HIPAA. Even before the rule takes effect, implementing MFA on your EHR, email, and remote access tools eliminates a huge percentage of the attack surface. Most major EHR systems — Epic, athenahealth, eClinicalWorks, NextGen — already support it.
Free options like Microsoft Authenticator or Google Authenticator make this a zero-cost security upgrade for most habits.
4. Train Staff to Recognize Phishing Emails
The overwhelming majority of ransomware attacks start with a single employee clicking a malicious link in a convincing email. One person. One click. That’s all it takes.
Regular phishing knowledge training — not a once-a-year slideshow, but quarterly simulated phishing exercises — is one of the highest-leverage investments you can make. The new HIPAA Security Rule will require this training at least annually with written down evidence.
5. Create a Documented Downtime step
UMMC fell back to paper because they had steps for it. Does your practice? If your EHR goes down tomorrow morning, does every staff member know:
- How to record patient care on paper forms?
- How to access medication lists?
- How to contact patients with scheduled appointments?
- Where to find printed copies of key workflows?
Write it down. Print it. Put it somewhere people can actually find it when the network is down. If your practice needs a step-by-step ransomware response plan, build one before you need it.
6. Know Who to Call Before an Attack Happens
Before an incident occurs, build your contact list:
- Your IT vendor or managed security provider — on speed dial
- Your cyber insurance carrier — policy number and claims line
- Your healthcare attorney — HIPAA breach notice has legal rules
- FBI’s IC3 — ic3.gov for reporting cybercrime
- CISA — 1-888-282-0870 for federal incident assistance
You don’t want to be Googling any of this while your systems are locked.
What to Do If Ransomware Hits Your Practice
If your practice gets hit, the first instinct is often to try to fix it quietly. Don’t.
Under HIPAA, you’re required to notify affected people within 60 days of discovering a breach. If more than 500 people in a state are affected, you must also notify prominent media outlets. Trying to handle it internally almost always makes the rule-based situation worse. OCR’s enforcement actions in 2025 included multiple penalties for delayed breach notice.
Disconnect affected systems from your network right away — don’t try to remove the malware yourself, you’ll destroy forensic evidence. Call your IT provider and insurance carrier. Document everything from the moment of discovery.
And do not pay the ransom without legal and law enforcement guidance. Paying doesn’t guarantee data recovery, may violate OFAC sanctions rules, and funds the next attack on someone else in healthcare.
The Bottom Line
The UMMC ransomware attack will eventually become a case study. But you don’t have to wait for the postmortem. The lessons are already clear:
- Healthcare groups are the #1 ransomware target
- Even well-resourced systems take weeks to months to recover
- Small habits are increasingly being targeted namely because they’re easier
- Prevention costs a fraction of what recovery costs
The clinics at UMMC were still closed a week after the attack. Children with complex medical needs missed care they couldn’t get anywhere else in the state. That’s what inadequate preparation actually looks like in human terms.
Your patients are counting on you to not be next.
Related Reading
- Ransomware Hit Your Practice — The First 72 Hours — A step-by-step incident response checklist for when the worst happens.
- Healthcare Breaches Doubled in 2025 But Affected Fewer Patients — What That Tells Us — Why attackers are shifting to smaller targets.
- The New HIPAA Security Rule Is Coming — Here's What Changes and When — MFA, data scrambling, and the biggest HIPAA overhaul since 2013.
- MFA Is About to Be Required for HIPAA — A Plain-English Guide — How to roll out multi-factor login checks without losing your staff.
- How to Run a Risk review That Won't Get You Fined — The OCR-approved process for identifying your weak spots.
Not sure where your practice stands on ransomware readiness? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable — including risk reviews, security policies, and incident response planning tailored for small healthcare habits.