JACKSON, Miss. (WLBT) – The University of Mississippi Medical Center may have violated federal privacy law following a ransomware attack that crippled its systems in February, according to a 3 On Your Side investigation.
Federal law gives hospitals 60 days to tell the government and their patients when a cyberattack exposes private data. That deadline passed more than a month ago.
The February ransomware attack crippled systems at the hospital for nine days. Under HIPAA, hospitals must notify the Department of Health and Human Services, affected patients and local media within 60 days when an attack exposes personal information of more than 500 patients.
WLBT requested records that would have shown the hospital either met that deadline or had a justified reason for delaying it, asking for patient notification letters, breach notification letters and letters or memos from the FBI indicating such.
A public records spokesperson said UMMC had no responsive records, meaning it had no documents showing it reported the breach or notified a single patient.
Healthcare law attorney Brant Ryan said the government looks at several factors before considering whether a hospital violated privacy laws.
“They will examine exactly what took place, and whether or not you acted reasonably in responding to it based under the circumstances,” Ryan said. “So, there’s a one-size-fits-all requirement or restriction on when you have to impose or provide this notification. But at the same time, practically, that may not be available to you to perform fully, again, depending upon the scope and volume of data that’s impacted.”
Failing to notify the government or patients when their data is breached can result in hefty fines. In February, a 3 On Your Side investigation uncovered UMMC had to pay nearly $3 million for a 2013 breach in part because the hospital failed to notify those affected.
The only exception the federal government gives for not reporting a breach of patient data is if the FBI or other law enforcement agency requests a delay.
Nearly a month ago, 3 On Your Side emailed UMMC several direct yes or no questions:
- Has UMMC confirmed that patient health information was accessed or taken during the February 19 attack?
- Has UMMC filed a breach notification report with HHS’s Office for Civil Rights?
- Has UMMC conducted a risk assessment and determined that patients are unlikely to be harmed?
- Has the FBI or another law enforcement agency formally asked UMMC to delay notifying patients?
- Have patients been individually notified that their information may have been compromised?
- Has UMMC notified any media outlets as required under HIPAA for large breaches?
Spokesperson Patrice Guilfoyle did not answer any of them. She said in an April 27 response that UMMC is working with the FBI and national cybersecurity experts.
“We are continuing detailed forensic analysis to determine what data was accessed or exfiltrated, and we will meet all regulatory and reporting requirements upon conclusion of the investigation,” Guilfoyle said, referring all other questions to a form on the university’s website meant for requesting public records.
Mississippi law explicitly states that a person cannot ask questions of public bodies under the Public Records Act; only identifiable records can be requested.
Since that statement, WLBT has sent multiple emails requesting an answer to those direct yes or no questions to the hospital’s executive director of communications, Marc Rolph.
Those emails have gone unanswered.
Multiple news outlets reported the Russian hacker group Medusa has claimed responsibility and claims it also obtained patient data. UMMC has not confirmed that.
If the hospital cannot prove a law enforcement delay was requested, it could face significant fines yet again.
Want more WLBT news in your inbox? Click here to subscribe to our newsletter.
See a spelling or grammar error in our story? Please click here to report it and include the headline of the story in your email.
Copyright 2026 WLBT. All rights reserved.
