On the morning of February 19, 2026, ransomware tore through the University of Mississippi Medical Center's IT infrastructure, locking staff out of Epic, taking down the hospital website, and forcing the closure of every one of UMMC's 35 clinics across the state. What unfolded over the next 24 hours is a masterclass in what healthcare ransomware actually looks like at scale — and a reminder of why hospitals keep ending up in the crosshairs.
There is a moment in every major ransomware incident where leadership realizes the scope of what they are dealing with. At UMMC, that moment came early. "One of our IT systems started not working properly," said Dr. LouAnn Woodward, vice chancellor for health affairs and dean of the School of Medicine, at a press conference later that morning. "So that was our signal." What followed was a rapid and painful cascade: Epic went offline, the hospital website went dark, phone lines were disrupted, and staff at 35 clinics across Mississippi found themselves locking their doors and turning patients away.
This article breaks down what happened, why it happened, what the attackers were likely after, and what the incident reveals about the structural vulnerabilities of healthcare systems in the United States — particularly in states with no laws requiring hospitals to protect patient data from cyberattack.
What Happened, Hour by Hour
The attack struck early on Thursday morning, February 19, 2026. Employees arriving for their shifts described an environment in which systems were simply failing to respond. According to WLBT, staff reported the attack had "compromised all IT systems," with some workers sent home and the medical records system completely inaccessible. The infection moved fast enough and broadly enough that UMMC made the decision not just to isolate affected systems, but to take down all IT infrastructure as a precautionary measure.
By mid-morning, UMMC posted a notice on its Facebook page confirming the attack. The announcement was direct: "Due to a cybersecurity attack, many UMMC IT systems are down, including access to our electronic medical records, Epic. Today, all UMMC clinic locations statewide are closed. Outpatient and ambulatory surgeries/procedures and imaging appointments are cancelled and will be rescheduled." The hospital's main telephone switchboard was unable to transfer calls. The website was unreachable. Patients attempting to check which services were diverting to other facilities found that page offline as well.
At a press conference that afternoon, Dr. Woodward confirmed the nature of the attack. Ransomware. She also disclosed something that rarely makes it into early public statements: the attackers had already made contact. "The attackers have communicated to us," Woodward said, "and we are working with the authorities and specialists on next steps." She did not confirm whether a ransom demand had been made or its amount, and the FBI agent present declined to comment on the specific ransomware variant or the origins of the attack. Dr. Alan Jones, associate vice chancellor for health affairs, added a significant detail: UMMC believes the attack affected only its local servers, not the cloud-based systems — a distinction that, if confirmed, would meaningfully limit the potential scope of data exposure.
UMMC's main Jackson campus includes four hospitals — University Hospital, Children's of Mississippi, Wiser Hospital for Women and Infants, and Conerly Critical Care Hospital — with a combined 827 patient beds, along with 35 clinics statewide. It employs more than 10,000 people, treats more than 70,000 patients annually, and carries an annual budget of roughly $2 billion. It is Mississippi's only academic medical center and the state's only Level 1 trauma center. County health departments that rely on UMMC's Epic EMR for clinical services were also affected, with staff reverting to paper charts.
By the end of the day, UMMC confirmed the disruption would extend into Friday. All clinics would remain closed on February 20. Elective procedures were cancelled. The one exception was the dialysis clinic at Jackson Medical Mall, which remained operational — a pointed reminder of what is at stake when care cannot wait. Emergency services and the Level 1 trauma center continued operating under manual, downtime procedures throughout.
Why UMMC Is a High-Value Target
To understand why a ransomware group would target UMMC specifically, it helps to understand what UMMC is. It is not simply a large hospital. It is the anchor of Mississippi's entire healthcare infrastructure — the state's only academic medical center, its only Level 1 trauma center, and the hub through which complex referrals from across Mississippi flow. When UMMC goes down, the ripple effects extend far beyond Jackson.
Ransomware operators understand this. The operational complexity that makes a system like UMMC difficult to defend also makes it an ideal target for extortion. A regional grocery chain going offline is an inconvenience. A statewide academic medical center going offline is a public health emergency in slow motion. That pressure is a feature of the attack, not a side effect. The higher the perceived urgency to restore operations, the greater the leverage for a ransom demand.
UMMC's history is also relevant here. A decade ago, in 2013, a password-protected laptop was stolen from UMMC's Medical Intensive Care Unit, exposing data from approximately 10,000 patients. Federal investigators found that UMMC had been aware of risks and vulnerabilities to its systems as far back as April 2005 and had made no changes until after the breach. The Department of Health and Human Services levied $2.75 million in HIPAA fines and required UMMC to implement a corrective action plan. The 2026 attack raises uncomfortable questions about the depth and longevity of those remediation efforts.
"We are working to mitigate all the risks that we know of." — Dr. LouAnn Woodward, Vice Chancellor for Health Affairs and Dean of the School of Medicine, UMMC (Mississippi Today, February 19, 2026)
What Attackers Are Actually After
There is a persistent misconception about healthcare ransomware that is worth correcting plainly. Attackers are not primarily interested in your MRI scans. They do not care about your lab results. Clinical data — the imaging, the test panels, the physician notes — is largely worthless on the secondary market because it cannot easily be monetized through identity theft or fraud.
What attackers are after is the demographic layer underneath all of that clinical data. James Phipps, a cybersecurity expert who works with medical facilities across Mississippi, explained it clearly to WLBT: attackers are primarily going after demographic data — billing records, Social Security numbers, anything that can be used elsewhere to steal someone's identity. An electronic health record in a system like Epic is not just a clinical file. It is a complete identity dossier: legal name, date of birth, address, insurance information, Social Security number, billing data, payment history. For a ransomware group with the capability to exfiltrate before encrypting — which is now standard practice in what the industry calls double extortion attacks — a hospital is one of the most lucrative targets in existence.
The disruption to patient care, the cancelled surgeries, the closed clinics, the nurses reverting to pen and paper — that is largely a byproduct of the encryption phase, not the primary objective. Encryption is the mechanism that creates the ransom leverage. The data theft, if it occurs, is the parallel revenue stream. This dual-track model — exfiltrate, then encrypt, then threaten to publish — became the dominant ransomware playbook around 2019 and 2020, when groups began realizing that victims with good backups could restore without paying. Adding the threat of public data exposure closed that exit. It is what the industry calls double extortion, and it is now the default operating model for sophisticated ransomware groups targeting healthcare. This is the economic model that has made healthcare ransomware so persistent and so difficult to stop: the incentive structure is perfectly aligned, the targets are structurally vulnerable, and the consequences are too severe for victims to wait out an extended negotiation.
How attackers get in is a question that remains unanswered in UMMC's case at the time of this writing. James Phipps described the typical range of entry points — firewall vulnerabilities, phishing emails, any number of vectors — and that range reflects the reality of healthcare environments: large, complex networks with thousands of endpoints, legacy systems that are difficult to patch, and a workforce that includes clinical staff who are not primarily hired for their cybersecurity awareness. The 2024 Ascension attack began when an employee accidentally downloaded a malicious file. The 2020 Universal Health Services attack is widely reported to have involved Ryuk ransomware, typically delivered via phishing — though UHS never officially confirmed the specific variant. The specific initial access vector for the UMMC attack may not be publicly disclosed for weeks or months, but the category of entry point — a human error, an unpatched vulnerability, a credential compromise — will almost certainly fall within the same predictable range that has defined healthcare ransomware for years.
UMMC has not confirmed what data, if any, was exfiltrated. Cybersecurity expert James Phipps advises patients to monitor bank accounts for unusual charges and report them immediately to their financial institution. Be alert for unsolicited communications referencing your medical history, insurance, or identity credentials. The nature and scope of any data theft may not become clear for days or weeks.
Downtime Procedures: The Analog Fallback
One of the most instructive aspects of the UMMC attack is the institutional response that prevented it from becoming a mass casualty event. Emergency services never stopped. The Level 1 trauma center kept functioning. Patients in critical care units continued to have their vital signs monitored. How? Downtime procedures — the clinical protocols that govern how healthcare workers deliver care when the electronic systems they depend on are unavailable.
Dr. Alan Jones, associate vice chancellor for health affairs, addressed this directly at the press conference: "We have downtime procedures, so we know how to take care of patients without EMR and I can assure you that at the point of care, all of our processes are intact. All of our equipment works. All of our patients are being taken care of safely." Dr. Woodward elaborated with a detail that is both practical and striking: "We're on a manual process right now. Some of us in the room have been here long enough that we remember taking care of patients with pen and paper."
This is the unglamorous but critical resilience layer in healthcare security. Downtime procedures are not just IT contingency plans — they are clinical operating procedures that must be rehearsed, current, and genuinely executable under stress. Bedside equipment at UMMC continued to monitor vital signs, generate readings, and support care. What it could not do was push that data into Epic. The workaround was the same one hospitals used before electronic health records existed: documentation by hand, with the understanding that reconciliation into the electronic record would come later.
Mississippi MED-COM, the state's coordinating network for hospital transfers, was potentially in scope given UMMC's broader network outage — but Dr. Jones clarified that MED-COM could operate independently and that redundancies were in place to continue routing patients to hospitals without disruption. That distinction matters: the presence of fallback systems prevented the attack from cascading into a statewide emergency communications failure. It is the kind of layered resilience that defense-in-depth architecture is designed to produce, and it worked here precisely because those redundancies existed before they were needed.
The Federal Response
The federal footprint on this incident is unusually visible for an attack still in its first 24 hours. Robert Eikhoff, Special Agent in Charge of the FBI's Jackson Field Office, appeared alongside UMMC leadership at the afternoon press conference — not a routine occurrence, and a signal of the scale at which the Bureau views this incident.
"We are in the process of surging resources both locally and nationally into this incident to make sure that we are standing alongside UMMC and their vendors as we look to understand the extent of this attack." — Robert Eikhoff, FBI Special Agent in Charge, Jackson Field Office (MPB News, February 19, 2026)
The FBI was joined by CISA — the Cybersecurity and Infrastructure Security Agency — and the Department of Homeland Security. UMMC confirmed it had notified both federal and state agencies. Eikhoff declined to specify the ransomware variant or the origin of the attackers, which is standard practice in active investigations where public disclosure could compromise attribution efforts or negotiations.
The multi-agency response reflects a post-2021 posture shift in how the federal government treats healthcare ransomware. Following the Colonial Pipeline attack and a series of devastating hospital ransomware incidents — including the 2020 Universal Health Services attack that affected approximately 400 acute care hospitals, behavioral health facilities, and care centers across the United States and the May 2024 Ascension Health breach — which affected 142 hospitals, compromised nearly 5.6 million records, and caused approximately six weeks of downtime before EHR access was fully restored system-wide — federal agencies have significantly expanded their healthcare-specific response capabilities. CISA maintains dedicated healthcare sector liaisons. The FBI's cyber division has standing arrangements with major healthcare systems to accelerate incident response. The 2026 UMMC attack appears to have activated that full apparatus within hours of the initial compromise being confirmed.
A State Under Siege: The Mississippi Pattern
Context matters here. The UMMC attack is not an isolated incident. It is the fourth ransomware attack on a Mississippi hospital system in three years, and that pattern is deeply troubling.
In 2023, Singing River Health System in Ocean Springs suffered what it described as "a malicious and sophisticated ransomware attack" — an incident that ultimately exposed the health information of nearly a million individuals. That same year, North Mississippi Health Services and OCH Regional Medical Center in Starkville were also struck. In December 2025, Singing River was targeted again, shutting down systems including internet access to contain a potential incident before it escalated. Now, in February 2026, Mississippi's largest and most critical healthcare institution has been taken offline.
Four attacks. Three years. One state. And as the WLBT investigation found, Mississippi has no state law requiring hospitals to protect against cyberattacks. Federal HIPAA requirements still apply, but HIPAA's security provisions are widely regarded as a floor, not a ceiling — written in an era before ransomware-as-a-service made enterprise-grade attack capabilities available to criminal groups for a monthly subscription fee.
2023: Singing River Health System — ransomware attack, nearly 1 million patients' data exposed. North Mississippi Health Services — cyberattack. OCH Regional Medical Center, Starkville — cyberattack. December 2025: Singing River Health System — potential cyber incident, systems shut down as precaution. February 19, 2026: UMMC — ransomware attack, all 35 clinics closed statewide, Epic offline, FBI and CISA respond.
The pattern also has a precedent problem at UMMC specifically. When federal investigators examined the 2013 UMMC laptop breach, they found the institution had known about security vulnerabilities since 2005 and done nothing. That is an eight-year gap between identified risk and meaningful remediation, closed only by a breach. The question being asked quietly in cybersecurity circles right now is how much of the 2026 incident reflects a similar gap between known risk and institutional action.
The Psychology Behind Healthcare Ransomware
Ransomware is not just a technical problem. It is, at its core, a coercion problem — and healthcare is one of the most psychologically effective targets an attacker can choose. Understanding why requires thinking like a threat actor.
Every ransomware operator is running a cost-benefit calculation. The cost side includes the expense and risk of the intrusion, the technical effort to deploy and execute the payload, and the legal exposure if attribution occurs. The benefit side is the probability and magnitude of a ransom payment. Healthcare institutions tip that calculation decisively in the attacker's favor on the benefit side, for several interconnected reasons.
First, healthcare organizations face an asymmetric time pressure that few other sectors experience. A retailer going offline loses revenue. A hospital going offline puts people at risk of harm. That urgency is not hypothetical — it creates genuine, immediate institutional pressure to restore operations. Attackers know this. The ransom negotiation takes place in a context where the victim is not just weighing financial loss but clinical consequences.
Second, healthcare organizations hold data with two distinct monetization pathways: the ransom itself, and the downstream value of the exfiltrated records. A patient record that includes Social Security number, date of birth, insurance data, and billing history is worth significantly more on criminal markets than a typical retail customer record. This creates a financial profile that makes healthcare worth targeting even when the ransom is not paid.
Third — and this is the dimension that is underappreciated in technical discussions of healthcare security — healthcare institutions carry a public trust burden that most commercial organizations do not. When a hospital is attacked, the reputational stakes extend beyond the institution to encompass the communities that depend on it. That pressure shapes how quickly leadership moves toward resolution, and it shapes public pressure on officials to act. Attackers understand that they are not just encrypting files. They are encrypting trust.
James Phipps captured the attack-vector reality succinctly for WLBT, noting that intrusions can come through firewall vulnerabilities, through an employee opening a phishing email — through any number of entry points. The sophistication required to breach a hospital network has declined steadily as ransomware toolkits have become commoditized. What has not declined is the impact when the attack succeeds.
No Law, No Teeth: The Regulatory Void
The absence of a Mississippi state law requiring hospitals to implement cybersecurity protections is not a minor administrative gap. It represents a structural condition that makes repeated attacks not just possible but predictable.
HIPAA's Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic protected health information. But the rule is written in the language of risk management — it requires organizations to assess and address risks, not to implement specific technical controls. An organization that has conducted a risk analysis, documented findings, and implemented some degree of remediation can be technically compliant even if its security posture remains critically weak. The penalty framework, while meaningful in cases like the 2016 UMMC settlement, is reactive. Fines follow breaches; they do not prevent them.
Several states have begun moving toward more prescriptive healthcare cybersecurity legislation. New York proposed hospital cybersecurity regulations in November 2023, formally adopted them in October 2024, and set a full compliance deadline of October 2, 2025 — requiring specific technical controls, mandatory CISO designation, incident response planning, and annual penetration testing. That deadline has now passed; New York hospitals are subject to active enforcement, with penalties including civil monetary fines and licensing actions for noncompliance. The contrast with Mississippi's legislative posture is stark. Mississippi has four hospital system ransomware incidents in three years and no state-level mandate requiring those institutions to maintain minimum cybersecurity standards.
The practical consequence of this void is a race to the bottom on security investment. Healthcare organizations, like most organizations, optimize for the pressures they actually face. Without regulatory pressure demanding baseline controls, security spending competes directly with clinical investments, administrative overhead, and the perennial resource constraints that define not-for-profit academic medical centers. The result, historically, is that security loses.
At the federal level, movement is underway but not yet law. HHS proposed significant updates to the HIPAA Security Rule in January 2025 that would shift it from a risk-management framework toward mandatory specific technical controls — multifactor authentication, network segmentation, annual penetration testing, and others. Congress has also considered the Health Infrastructure Security and Accountability Act, which would establish mandatory minimum cybersecurity requirements for healthcare entities across the country. As of early 2026, neither has cleared the full legislative process. In the meantime, the regulatory environment remains reactive by design: fines follow breaches, and standards remain advisory until they are not.
"Ten years ago, ransomware attacks lasted three, four, five days. The trend with these types of attacks the last four or five years, to last weeks to months is not uncommon." — Dr. Jeff Tully, co-director of the Center for Healthcare Cybersecurity at UC San Diego Health, quoted by Mississippi Free Press, February 19, 2026
That observation from a cybersecurity professional speaking to the Mississippi Free Press carries significant weight. The UMMC press conference was less than 24 hours old when these words were spoken. The incident is expected to last multiple days. Whether it extends into the weeks-to-months range that modern ransomware incidents increasingly occupy will depend on the state of UMMC's backups, the nature of the ransomware variant deployed, and decisions that have not yet been made publicly. What is already clear is that the disruption extends beyond UMMC itself — county health departments that rely on UMMC's Epic system for clinical services were reported to have been forced back to paper charts, rippling the operational impact across the state's public health infrastructure.
Key Takeaways
- Ransomware is not primarily about clinical data. Attackers target the demographic and billing layer of patient records — Social Security numbers, insurance information, payment data — because that information can be directly monetized through identity theft. Clinical data is largely incidental.
- Downtime procedures are not optional. UMMC's ability to continue emergency services, trauma care, and critical care during a total Epic outage was the direct result of having and rehearsing clinical downtime protocols. Institutions without those protocols would face worse outcomes in an identical attack.
- The federal response threshold has changed. The FBI surging resources "locally and nationally" within hours of a hospital ransomware incident reflects a post-2021 posture shift. Healthcare is now treated as critical infrastructure at the federal response level, not just on paper.
- Repeated victimization is a pattern, not bad luck. Mississippi's four hospital ransomware incidents in three years reflect a structural condition — insufficient security investment, no state-level minimum standards, and a regulatory environment that primarily responds to breaches rather than preventing them.
- Attack durations have lengthened dramatically. Modern ransomware incidents in healthcare routinely extend to weeks or months. The UMMC incident should be understood in that context, not as a multi-day disruption that resolves over a weekend.
- The blast radius extends beyond the institution. County health departments that shared UMMC's Epic system were reportedly forced back to paper charts within hours of the attack. Ransomware against a major academic medical center does not stay inside that institution's walls — it cascades across every entity that depends on its infrastructure, extending the public health impact well beyond the immediate target.
- Attacker contact is not resolution. The fact that ransomware operators communicated with UMMC within hours of the attack is, according to cybersecurity incident responders who regularly handle healthcare ransomware cases, a standard element of the ransom negotiation playbook, not a sign that the situation is close to being resolved. Negotiations run in parallel with ongoing forensic investigation and system restoration efforts.
What happened at UMMC on February 19, 2026 is not a surprise. It fits a pattern that has been building for years across Mississippi and across the United States. Academic medical centers are high-value targets, structurally under-resourced for security, carrying data that is worth more per record than almost any other industry, and facing operational pressures that create near-irresistible leverage for attackers. The attack on UMMC is the fourth chapter in a story that Mississippi, and the healthcare sector more broadly, has not yet figured out how to end.
As of the time of this writing, no ransomware group has publicly claimed responsibility. That is not unusual. Groups often delay public claims while ransom negotiations are ongoing — a public claim before payment creates law enforcement attention and can harden the victim's resolve; a claim after a failed negotiation is the threat that published data fulfills. The FBI and CISA are actively investigating. UMMC's clinics remain closed. The system is on paper. And somewhere, the people who launched this attack are watching the clock tick.
Editor's note: This article was published on February 20, 2026 — the morning of the second day of the UMMC ransomware incident. It reflects information available as of publication time. The incident was ongoing, and details including the scope of data exposure, attack duration, and responsible group had not been confirmed. This article will not be updated in real time.
Sources: Mississippi Free Press, Mississippi Today, MPB News, WLBT (incident report), WLBT (3 On Your Side investigation), WJTV, GovInfoSecurity / HealthInfoSec, DataBreaches.net, DysruptionHub, The Daily Mississippian. All quotes are drawn from coverage published February 19–20, 2026.