Audio recording is automated for accessibility. Humans wrote and edited the story.
The University of Mississippi Medical Center is conducting a detailed forensic analysis with support from the FBI and cybersecurity experts to determine what data was accessed or exfiltrated during the February cyberattack that struck the hospital system and forced it to cancel appointments and elective surgeries for nine days.
The medical center will meet all regulatory and reporting requirements after it concludes its investigation, UMMC spokesperson Patrice Guilfoyle said in a statement to Mississippi Today.
“What we do know is the Feb. 19 cyberattack was not the result of a single user error or someone clicking on a malicious email,” Guilfoyle said. “Our monitoring systems and recovery protocols worked as designed, enabling us to stop the intrusion quickly and return largely back to normal significantly faster than the national average for recovery from similar incidents.”
Ransomware group Medusa claimed credit for the cyberattack in March, nearly a month after the initial attack that shut down UMMC’s network, and demanded payment to prevent the publication of stolen data, cybersecurity news outlet The Record reported.
Guilfoyle did not respond to Mississippi Today’s questions about whether patient data was stolen in the cyberattack, the steps UMMC is taking to strengthen its cybersecurity defenses or confirm whether Medusa was the organization that attacked the medical center. She declined Mississippi Today’s request for an in-person interview with medical center leadership.
Ransomware organizations use malicious software to hold computer systems or data hostage in demand for payment. These groups have increasingly targeted health care organizations in pursuit of large payouts.
The health care industry was the top sector targeted by ransomware attacks in 2025, according to the FBI’s 2025 Internet Crime Report. The federal agency received 460 ransomware reports regarding health care organizations last year, up from 238 such reports in 2024 — representing almost double the number of attacks.
Medusa’s two-pronged tactic
Medusa was first identified in 2021 and has repeatedly struck health care, manufacturing and government targets across the world, according to the U.S. Cybersecurity and Infrastructure Security Agency. Most of its attacks have been on U.S. organizations. In March 2025, CISA issued an advisory warning against the organization’s dangerous attacks on critical infrastructure, which had impacted 300 organizations by February of that year.
Researchers believe the group has origins in Russia or a Russian-speaking country, because it avoids targeting those regions and uses Cyrillic script in operational tools.
The group is centrally organized and carries out direct attacks and ransomware-for-service operations, in which affiliates deploy the group’s tools to launch attacks in exchange for payment, said Cynthia Kaiser, senior vice president for California-based cybersecurity company Halcyon’s Ransomware Research Center and former deputy assistant director of the FBI Cyber Division.
Cybersecurity experts at Microsoft published a report in April on Medusa’s rapid attacks, identifying several cases in which the group accessed an organization’s network, exfiltrated data and deployed ransomware within 24 hours. Another recent investigation showed that cybercriminals tied to a state-backed North Korean hacking operation used Medusa to launch attacks against a company in the Middle East and a healthcare organization in the U.S., according to The Record.
Kaiser said Medusa’s core developers manage ransom negotiations and have developed a reputation for accurately reporting their attacks. The organization frequently uses “double extortion” tactics, she said. Using this method, the group first encrypts and disables a victim’s computer system and then threatens to release stolen data publicly if a ransom is not paid.
Did UMMC pay a ransom?
The initial shutdown of UMMC’s computer systems and Medusa’s subsequent March demand for payment to prevent the publication of stolen data fits the pattern of double extortion methods and suggests that UMMC did not pay an initial ransom in February to regain access to its computer system, said Allan Liska, an intelligence analyst for Massachusetts-based cyber threat intelligence company Recorded Future who is familiar with the case but not actively involved in it.
“Typically, the data is not offered for sale unless a victim did not pay (an initial ransom),” Liska said. He added that organizations often rebuild their computer systems from the ground up rather than pay to restore access.
Kaiser also said it is “safe to assume” that UMMC did not pay an initial ransom, citing the delayed attempt to extort payment over stolen data.
UMMC has not publicly stated whether or not it paid a ransom to its attacker.
Dr. John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk who previously spent more than 30 years at the FBI, said it is difficult to determine how many organizations pay a ransom because such payments are often not publicly disclosed. Many cybersecurity experts, including Riggi, advise against paying ransoms, warning that doing so can make organizations more vulnerable to future attacks.
Based on his experience working in cybersecurity, Riggi said he believes fewer than half of organizations pay a ransom. He added that an increasing number of health systems are well-positioned not to pay because they maintain robust backup systems and prepare to deliver care even when networks and internet-connected technologies are offline.
For nine days during the cyberattack on UMMC, medical staff cared for patients using paper charts — some for the first time in their careers — and without access to Wi-Fi or phone lines.
Kaiser said UMMC’s recovery time was faster than many other targets of ransomware attacks.
“We’ve seen that fast, but it can take weeks in some cases,” she said.
A 2020 cyberattack on the University of Vermont Medical Center resulted in the academic medical center losing access to its electronic medical record system for 28 days and cost the system about $65 million, according to Vermont Public.
UMMC’s revenue fell about 20% below budget in February, the month of the cyberattack, but hospital leaders said in March they expected revenue to rebound as patient care charges logged on paper during the attack were input into the hospital’s computer system and postponed surgeries were rescheduled.
Unclear if patient health information was stolen
UMMC has not filed a protected health information breach report to the U.S. Department of Health and Human Service Office for Civil Rights, according to the federal agency’s public breach database. Breaches of unsecured protected health information affecting 500 or more people must be reported to the agency within 60 calendar days from the discovery of the breach.
But hospitals may delay reporting in some situations, such as an ongoing investigation into the number of records stolen, Riggi said. Guilfoyle, UMMC’s spokesperson, said the medical center will meet all reporting requirements after it completes its ongoing investigation.
UMMC initiated a one-year, emergency contract with attorney Jim Griszczak of McDonald Hopkins LLC to provide legal services related to the cyber incident in February, according to Institutions of Higher Learning board meeting minutes. Griszczak co-chairs McDonald Hopkins’ data privacy and cybersecurity practice group and advises clients on data security measures and responding to security breaches, according to the firm’s website. The agreement is pending approval from Attorney General Lynn Fitch, according to the board’s most recently published minutes.
It is unclear if or what type of data the cyberattacker may have stolen or may be threatening to release. Cyberattackers do not only steal patient health information. They may also exfiltrate other types of data, such as business operations data, said Selena Larson, a staff threat researcher at California-based cybersecurity company Proofpoint.
Breaches of U.S. patient data are widespread. In 2025 alone, 710 major incidents were reported to the Office of Civil Rights, affecting over 61 million patients — or nearly a fifth of the nation’s population, according to a HIPAA Journal report.
“Statistically speaking, almost every U.S. person has had their health care records compromised at least once, and many more than once,” Riggi said.
Because such incidents are so common — and there is no guarantee that cybercriminals will refrain from publishing or selling stolen data, even after they are paid — Riggi said he does not advise health care organizations to pay ransoms for data.
‘You have to assume you’ll get hit’
Ransomware attacks have become more prevalent and can be carried out faster than in the past, creating an imperative for health care organizations to develop strong defenses and a plan for when, and not if, they are attacked, Kaiser said.
“You have to assume you’ll get hit,” she said.
But it is challenging for hospitals to create strong defenses against cybersecurity risks as they face other financial pressures, such as the rising costs of medical supplies, workforce salaries and anticipated federal cuts.
“It is difficult for them to fully implement programs when they are facing these massive financial pressures,” Riggi said.
Providing care to patients is the priority for most hospitals, Riggi added. But failing to address cybersecurity risks has been shown to significantly impact patients, too.
Research shows that patient care outcomes decline in the wake of ransomware attacks. One 2026 study conducted by researchers at the University of Minnesota Twin Cities found that among Medicare patients hospitalized during the attack, hospitals targeted by ransomware experienced an average increase of 34% to 38% in mortality rates compared to those discharged in the five weeks prior. The impact to patient care was most severe among the sickest patients with the most complex medical needs.
Hospitals across the U.S. face significant federal funding cuts in coming years as a result of President Donald Trump’s sweeping tax and spending bill signed into law in July. These cuts could impact hospitals’ ability to establish and maintain strong defenses against cybersecurity risks.
“The bottom line is that all of these reductions are going to place enormous pressure on hospitals,” Riggi said.
