TL;DR
- On February 19, 2026, a ransomware attack forced the University of Mississippi Medical Center to close all 35 of its clinics statewide and take its entire IT network offline — yet critically ill patients continued to receive care.
- The hospital's pre-existing emergency operations plan — not just its security tools — is what kept people alive while systems were down.
- Ransomware causes an average of 24 days of downtime [1], and 60% of small businesses hit by a cyberattack close within six months [2].
- The difference between businesses that survive ransomware and those that don't is operational resilience built before the attack — not just tech defenses.
- A business continuity plan, tested offline backups, and segmented networks are the three moves that change the outcome.
What Happened at UMMC — and Why It Matters for Your Business
In the early hours of Thursday, February 19, 2026, the University of Mississippi Medical Center's network went dark. A ransomware attack hit its IT systems, including Epic — the electronic health record platform used to track every patient in the building [3]. Within hours, UMMC Vice Chancellor LouAnn Woodward stood in front of cameras and said words that every business owner should sit with:
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →"There are a lot of questions that I have, that we all have, that you have, that we don't know the exact answers to at this point."
All 35 UMMC clinics across Mississippi closed. Outpatient appointments and elective surgeries were cancelled. Phone systems went down. The hospital's website went dark. Billing stopped. The FBI, CISA, and the Department of Homeland Security mobilised [4].
And yet — critically ill patients kept receiving care. Nurses took vitals by hand. Clinicians wrote orders on paper. The one facility that stayed open was the dialysis clinic, because lives depended on it [5].
That is the story inside the story: a healthcare system hit hard enough to shut down 35 locations kept its most essential operations alive because it had a plan. That plan — not any particular firewall — is what you need to understand before another ransomware attack makes the news.
Related: 1 in 4 Data Breaches Now Come Through Your Vendors
Why Ransomware Keeps Hitting Healthcare — and Why Your Industry Is Next
UMMC's attack is the fourth hospital system in Mississippi to be targeted by cybercriminals in just three years [6]. Singing River Health System was hit twice. North Mississippi Health Services and OCH Regional Medical Center were both compromised in 2023. None of these are small community clinics — they are major regional health systems with dedicated IT departments.
According to Unit 42's 2026 Global Incident Response Report, which analysed over 750 major cyber incidents globally, AI is now compressing attack timelines to as little as 72 minutes from initial access to data exfiltration — four times faster than last year [7]. Ransomware actors are no longer methodically probing networks over weeks. They breach, move laterally, and deploy encryption in a single morning.
Healthcare is a lucrative target for a specific reason: the cost of downtime is existential. A hospital cannot simply tell patients to come back in two weeks. That operational urgency — the same urgency that makes hospitals pay ransoms — exists in any business where time matters. Legal practices with court deadlines. Accounting firms at tax time. Manufacturers with production schedules. Logistics companies with shipment windows.
According to Varonis, the average downtime from a ransomware attack is 24 days [1]. Ask yourself: can your business operate for 24 days without its primary systems?
How Much Does a Ransomware Attack Actually Cost?
The ransom itself is rarely the biggest expense. According to Sophos's 2025 State of Ransomware Report, the average ransom payment fell to approximately $1.0 million — but the total cost of recovery, including downtime, investigation, system rebuilding, regulatory response, and reputational damage, routinely reaches multiples of that figure [8].
For small businesses, the numbers are proportionally devastating. Research shows that 43% of all cyberattacks target SMBs [2]. Smaller organisations face tighter recovery budgets, less redundancy, and — critically — a narrower window to survive the financial shock. The statistic that should change how every business owner thinks about this: 60% of small businesses that experience a cyberattack close within six months [2].
UMMC itself paid $2.75 million in federal HIPAA fines a decade ago following a data breach — and federal investigators found at the time that the institution had been aware of system vulnerabilities since 2005 but had not acted on them [6]. Awareness without action is not a security posture. It is a liability.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →What the UMMC Response Gets Right (and What Every Business Can Copy)
Here is what good looks like, even under attack.
Immediate network isolation. UMMC shut down its entire IT network the moment the attack was confirmed. This is painful — it closes clinics, kills phone systems, breaks billing — but it prevents ransomware from spreading further [4]. The instinct to "keep systems running while we investigate" is the instinct that turns a contained incident into a catastrophic one.
Emergency operations plan, activated. UMMC had a documented plan for exactly this scenario. Clinicians reverted to paper-based workflows. Monitoring equipment continued operating at bedsides because critical care bedside devices were not dependent on the central EHR. The plan was practised enough that staff could execute it under pressure [5].
Federal notification, immediately. The FBI was engaged the same day. CISA and DHS mobilised resources nationally. For SMBs, this translates to knowing in advance who to call: your managed security provider, your cyber insurance carrier, your legal counsel, and your IT incident response contact. Having a list of phone numbers saved somewhere not on your server is not optional — it is foundational.
Transparent communication. Woodward held a press conference the same day to communicate what was known and what was not. Trust erodes fastest in an information vacuum. The businesses that recover better are those that communicate early and honestly with clients, staff, and partners.
Related: How AI-Powered Phishing Is Changing the Threat Landscape
How to Build Resilience Before the Call Comes
The three structural moves that change ransomware outcomes — backed by what UMMC demonstrated under fire:
Does your business have a tested offline backup?
The only backups that survive ransomware are backups that ransomware cannot reach. Air-gapped or immutable backups — stored on media or in cloud systems with write-once configurations — are what allow organisations to restore without paying. According to Sophos, 97% of organisations that had data encrypted were able to recover it, but those that relied on backups recovered faster and at lower cost than those that paid [8]. Test your restore process quarterly. A backup you have never tested is a backup you cannot trust.
Is your network segmented?
Flat networks — where every device can communicate with every other device — are ransomware's favourite playground. Network segmentation means an attacker who compromises your reception desk computer cannot automatically reach your financial records, your client database, or your backup servers. Healthcare's ability to maintain bedside monitoring even with the central EHR down is a direct result of physical and logical network segmentation [5]. The same principle applies in any business environment.
Do you have an incident response plan that lives outside your systems?
Your incident response plan should exist on paper and in the minds of your key people. It should include: who to call, how to notify clients, how to operate manually, what systems to shut down first, and who has decision-making authority. Run a tabletop exercise once a year. Know what pen-and-paper operations looks like for your business — before you need it.
FAQ
The average downtime from a ransomware attack is 24 days, according to Statista and Varonis [1]. Full recovery — including rebuilding systems, completing forensic investigations, and clearing regulatory requirements — often takes months. Organisations with tested backups and documented incident response plans recover significantly faster than those without.
Paying a ransom is not recommended by the FBI or CISA, and for good reason: 80% of businesses that pay a ransom are attacked again shortly after, according to Cybereason research [9]. Payment does not guarantee recovery — 46% of those who paid still found their data corrupted or incomplete. The better investment is building backup and recovery capabilities before an attack occurs.
Tested, offline backups are the single highest-impact protection against ransomware. If you can restore from backup without paying, ransomware loses its leverage entirely. Pair this with network segmentation and multi-factor authentication on all accounts, and your risk profile drops significantly.
Isolate affected systems immediately — disconnect them from the network without turning them off (to preserve forensic evidence). Call your IT provider or incident response contact. Do not attempt to pay or negotiate without legal counsel. Notify your cyber insurance carrier. Document everything with timestamps. CISA provides a ransomware response checklist at cisa.gov/ransomware.
Cyber insurance policies vary widely. Research by Cybereason found that 42% of businesses with cyber insurance found it only covered a small portion of ransomware-related damages [9]. Read your policy carefully — coverage limits, exclusions for unpatched systems, and requirements for security controls all affect what is paid out. Do not assume a policy equals full coverage.
References
[1] Varonis, "Ransomware Statistics, Data, Trends, and Facts," Varonis Blog, 2026. [Online]. Available: https://www.varonis.com/blog/ransomware-statistics
[2] GSD Solutions, "The Cost of Data Breaches for Small Businesses in 2026," GSD Solutions Blog, 2026. [Online]. Available: https://gsdsolutions.io/the-cost-of-[data-breach](https://lil.business/blog/ransomware-backup-dual-extortion-smb-recovery-stack-2026/)es-for-small-businesses-in-2026/
[3] P. Dankins, "UMMC confirms ransomware attack forcing clinics to close," Clarion Ledger, Feb. 19, 2026. [Online]. Available: https://www.clarionledger.com/story/news/2026/02/19/university-of-mississippi-medical-center-cyberattack-forces-clinics-to-close/88757906007/
[4] J. Hughes, "UMMC closes clinics amid ransomware attack," TechTarget HealthTech Security, Feb. 20, 2026. [Online]. Available: https://www.techtarget.com/healthtechsecurity/news/366639393/UMMC-closes-clinics-amid-ransomware-attack
[5] UMMC Communications, "Feb. 19, 2026 Due to a cybersecurity attack, many UMMC IT systems are down," UMMC Facebook, Feb. 19, 2026. [Online]. Available: https://www.facebook.com/ummcnews/posts/1329275522567067/
[6] WLBT 3 On Your Side, "UMMC cyberattack is fourth to hit Mississippi hospital systems in three years," WLBT, Feb. 20, 2026. [Online]. Available: https://www.wlbt.com/2026/02/20/ummc-cyberattack-is-fourth-hit-mississippi-hospital-systems-three-years/
[7] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report – Attacks Now 4x Faster," Palo Alto Networks, Feb. 2026. [Online]. Available: https://live.paloaltonetworks.com/t5/community-blogs/2026-unit-42-global-incident-response-report-attacks-now-4x/ba-p/1248694
[8] Sophos, "State of Ransomware 2025," Sophos, 2025. [Online]. Available: https://www.sophos.com/en-us/whitepaper/state-of-ransomware
[9] Cybereason, "Ransomware: The True Cost to Business," Cybereason, 2021. [Online]. Available: https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf
[10] CISA, "Ransomware Guide," U.S. Cybersecurity and Infrastructure Security Agency, 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/ransomware-guide
[11] U.S. Department of Health and Human Services, "Resolution Agreement: University of Mississippi Medical Center," HHS Office for Civil Rights, 2016. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ummc/index.html
[12] Statista, "Length of downtime after a ransomware attack," Statista, 2025. [Online]. Available: https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack-us/
Your business doesn't need to be a hospital to face the same risk — or to build the same resilience. lilMONSTER specialises in helping SMBs build incident response plans, test backups, and segment networks before the call comes. Book a free consultation at consult.lil.business and find out exactly where your gaps are.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A ransomware attack is like a thief breaking in and changing all the locks — except on your computer files.
- A real hospital just got hit by one and had to close 35 clinics in one morning.
- But critically ill patients were still treated — because the hospital had a plan.
- The businesses that survive ransomware are the ones that prepared before it happened.
- Three things protect you: backups stored somewhere safe, a plan on paper, and knowing who to call.
What Is Ransomware, Explained Like You're 10
Imagine your office building. You have filing cabinets, a till, appointment books, customer records — everything you need to run your business. Now imagine a burglar sneaks in overnight, photographs everything, then changes every single lock so you can't open anything. Then they slide a note under the door: "Pay us $1 million and we'll give you the keys back."
That's ransomware. Except it happens on your computers. Hackers sneak into your system, scramble all your files so you can't read them, and then demand payment — usually in cryptocurrency — to unlock everything. And paying doesn't always work: most businesses that pay get attacked again [1].
This happened to a real hospital — the University of Mississippi Medical Center — in February 2026. Their computers went down in the early morning. Thirty-five clinics across the state closed. Phones stopped working. The hospital's website disappeared. Doctors couldn't open patient records [2].
What Did the Hospital Do?
Here's the part that actually matters: the hospital kept treating its sickest patients anyway.
How? Because they had a plan for exactly this situation. Nurses took notes by hand. Doctors checked on patients in person. The machines monitoring heartbeats in the intensive care unit kept running — because those machines don't actually need the main computer system to work. The hospital knew what to do without computers, because they had practised it [3].
That's called a business continuity plan — and it's the difference between a crisis and a catastrophe.
The FBI and other government agencies also turned up to help. Not because the hospital did something wrong, but because hospital computer attacks are serious enough that the government has a whole team that responds to them [2].
Why Should This Matter to Your Business?
You might think: "I'm not a hospital. Nobody's going to hack me."
Actually, the opposite is true. Small and medium-sized businesses get hit far more often than huge corporations — 43% of all cyberattacks target smaller businesses, partly because hackers know smaller businesses often have fewer protections [4]. And when a small business gets hit, 60% of them close down within six months [4].
Think about it this way: what would happen to your business if you couldn't open a single computer file for 24 days? Because that's the average amount of time businesses are down after a ransomware attack [5].
Payroll? Frozen. Client records? Gone. Invoices? Inaccessible. Bookings? Vanished.
For a lot of small businesses, that's the end.
Three Things That Actually Protect You
These aren't complicated. They're the things the hospital did — and the things that saved them.
1. Backups that live somewhere separate
A backup that lives on the same computer or network that gets attacked is useless — the ransomware locks that too. You need a copy of your important files stored somewhere physically separate or in a special "locked" cloud account that ransomware can't reach. And you need to test that the backup actually works — don't find out it's broken when you need it.
2. A plan written on paper
If your plan for an emergency lives only on your computers, and your computers are locked... you have no plan. Write down: who to call, how to tell clients what's happening, what you can do manually, and who makes the big decisions. Keep it in a physical folder somewhere you can always find it.
3. Know who to call before you need them
The hospital called the FBI the same day. You won't call the FBI, but you should know in advance: your IT provider's emergency number, your cyber insurance contact, and your legal counsel. Have these numbers saved somewhere offline. In a crisis, you won't have time to Google them.
The Real Lesson: Planning Beats Panic
The hospital in Mississippi got hit hard. But doctors and nurses were still treating heart attack patients that same afternoon — with pen and paper — because the hospital had a plan and they'd practised it.
Security isn't about making attacks impossible. It's about building a business that can take a hit and keep moving.
At lil.business, we help small businesses build exactly that kind of resilience — backup systems, incident response plans, and the security foundations that mean you're not starting from zero when something goes wrong. Book a free consultation at consult.lil.business — and find out what your plan looks like today.
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] Cybereason, "Ransomware: The True Cost to Business," Cybereason, 2021. [Online]. Available: https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf
[2] P. Dankins, "UMMC confirms ransomware attack forcing clinics to close," Clarion Ledger, Feb. 19, 2026. [Online]. Available: https://www.clarionledger.com/story/news/2026/02/19/university-of-mississippi-medical-center-cyberattack-forces-clinics-to-close/88757906007/
[3] J. Hughes, "UMMC closes clinics amid ransomware attack," TechTarget HealthTech Security, Feb. 20, 2026. [Online]. Available: https://www.techtarget.com/healthtechsecurity/news/366639393/UMMC-closes-clinics-amid-ransomware-attack
[4] GSD Solutions, "The Cost of Data Breaches for Small Businesses in 2026," GSD Solutions Blog, 2026. [Online]. Available: https://gsdsolutions.io/the-cost-of-data-breaches-for-small-businesses-in-2026/
[5] Varonis, "Ransomware Statistics, Data, Trends, and Facts," Varonis Blog, 2026. [Online]. Available: https://www.varonis.com/blog/ransomware-statistics
