University of Mississippi Medical Center — Medusa ransomware
Medusa ransomware took Mississippi's only Level I trauma centre offline for nine days, demanded $800,000, and claimed exfiltration of more than 1 TB.
- Target
- University of Mississippi Medical Center — Medusa ransomware
- Date public
- 12 March 2026
- Sector
- Healthcare
- Attack type
- Ransomware
- Threat actor
- Medusa
- Severity
- High
- Region
- United States
The University of Mississippi Medical Center detected a ransomware intrusion on 19 February 2026 that knocked out core IT systems, including its EPIC electronic medical record platform. The 10,000-employee health system — which houses Mississippi’s only Level I trauma centre, only Level IV neonatal intensive care unit, only paediatric hospital and only organ transplant programme — operated on paper for nine days while clinics were closed statewide.
UMMC fully reopened on 2 March. On 12 March, the Medusa ransomware group publicly claimed the attack, posted UMMC to its dark-web leak site, and demanded $800,000 in exchange for not publishing more than 1 TB of allegedly exfiltrated data including patient health information and employee records. UMMC reportedly offered $550,000, which Medusa refused.
Medusa is widely assessed to be Russia-based, given its avoidance of CIS-region targets, Russian-language forum activity and Cyrillic operational tooling. The group operates a double-extortion model and has been increasingly active in US healthcare since 2024.
A deep-dive will follow when forensic detail on the initial access vector, dwell time, and any data leak is publicly available.