UMMC may have violated federal privacy law after ransomware attack
UMMC may have violated federal privacy law after ransomware attack
https://www.wlbt.com/2026/05/22/ummc-may-have-violated-federal-privacy-law-after-ransomware-attack/
Publish Date: 2026-05-22 19:14:00
Source Domain: www.wlbt.com
JACKSON, Miss. (WLBT) – The University of Mississippi Medical Center may have violated federal privacy law following a ransomware attack that crippled its systems in February, according to a 3 On Your Side investigation.
Federal law gives hospitals 60 days to tell the government and their patients when a cyberattack exposes private data. That deadline passed more than a month ago.
The February ransomware attack crippled systems at the hospital for nine days. Under HIPAA, hospitals must notify the Department of Health and Human Services, affected patients and local media within 60 days when an attack exposes personal information of more than 500 patients.
WLBT requested records that would have shown the hospital either met that deadline or had a justified reason for delaying it, asking for patient notification letters, breach notification letters and letters or memos from the FBI indicating such.
A public records spokesperson said UMMC had no responsive records, meaning it had no documents showing it reported the breach or notified a single patient.
Healthcare law attorney Brant Ryan said the government looks at several factors before considering whether a hospital violated privacy laws.
“They will examine exactly what took place, and whether or not you acted reasonably in responding to it based under the circumstances,” Ryan said. “So, there’s a one-size-fits-all requirement or restriction on when you have to impose or provide this notification. But at the same time, practically, that may not be available to you to perform fully, again, depending upon the scope and volume of data that’s impacted.”
Failing to notify the government or patients when their data is breached can result in hefty fines. In February, a 3 On Your Side investigation uncovered UMMC had to pay nearly $3 million for a 2013 breach in part because the hospital failed to notify those affected.
The only exception the federal government gives for not reporting a breach of patient data is if…
