The University of Mississippi Medical Center (UMMC), the state’s only academic medical center, experienced a significant financial hit in February following a debilitating cyberattack that forced the cancellation of elective procedures and appointments. Revenue fell roughly 20% below budget, amounting to a shortfall of approximately $34.2 million compared to the expected $194.1 million, according to hospital budget reports. The attack underscores the growing vulnerability of healthcare systems to ransomware and the cascading consequences that extend far beyond immediate patient care disruptions.
The cyberattack, discovered in February, crippled UMMC’s IT infrastructure, including systems holding critical electronic health records. For nine days, clinicians reverted to paper charts – a practice unfamiliar to many in their careers – and operated without access to essential communication tools like Wi-Fi and phone lines. While normal operations resumed on March 2, the financial repercussions are still unfolding, and a full accounting of the damage is expected to take several more months.
Financial Recovery Anticipated, But Timeline Uncertain
UMMC leaders anticipate a rebound in revenue as patient care charges, initially documented on paper during the system outage, are entered into the hospital’s computer system. Rescheduling the roughly 650 surgeries delayed during the attack is too expected to contribute to financial recovery. However, Dr. LouAnn Woodward, UMMC’s vice chancellor for health affairs, cautioned that a clear picture of the financial impact won’t emerge until March or April, potentially even extending to the end of the state’s fiscal year on June 30. She shared this assessment at a recent meeting of the Institutions of Higher Learning committee.
Jennifer Sinclair, UMMC’s chief financial officer, indicated that all patient care charges from the affected period should be reflected in the electronic system by the end of March. “That will catch up in March and will get a better reflection of what impact really was,” Sinclair said. Despite the revenue dip, other UMMC expenses remain on budget, and the hospital’s net income is currently about $8.6 million behind budget for the year.
Beyond the Ransom: The True Cost of Cyberattacks on Healthcare
The UMMC attack highlights the multifaceted financial burden cyberattacks place on hospitals. While a ransom payment wasn’t publicly disclosed in this case, Dr. Christian Dameff, an associate professor and co-director of the Center for Healthcare Cybersecurity at the University of California San Diego, explained that the costs extend far beyond any initial ransom demand. “They require, afterwards, a lot of money to try to shore up defenses,” Dameff said. “These are types of things that can cause systemic issues or risks to financial solvency for some organizations.”
The 2020 cyberattack on the University of Vermont Medical Center serves as a stark example. According to Vermont Public, that attack resulted in 28 days of lost access to electronic medical records and a total cost of approximately $65 million. Like the UMMC incident, it led to widespread appointment cancellations and disruptions in patient care.
Impact on Patient Care and UMMC’s Mission
UMMC plays a critical role in Mississippi’s healthcare landscape, operating seven hospitals and 35 clinics statewide. It is particularly vital for providing care to low-income and uninsured patients, regardless of their ability to pay. The cyberattack, had implications beyond financial losses, potentially delaying necessary medical interventions for vulnerable populations.
During the nine-day disruption, UMMC staff demonstrated remarkable resilience, adapting to a largely analog system to continue providing essential care. UMC News reported that some staff members hadn’t used paper charts in their careers, highlighting the extent to which healthcare has become reliant on digital infrastructure. Clinic and operating room hours have been extended to accommodate the backlog of rescheduled appointments, according to Woodward.
The incident also underscores the broader trend of increasing cyberattacks targeting healthcare organizations. Ransomware attacks, in particular, have become increasingly sophisticated and frequent, posing a significant threat to patient safety and the stability of the healthcare system. The FBI continues to investigate the UMMC attack, but no details have been released regarding the perpetrators or their motives.
UMMC is working to enhance its cybersecurity defenses and implement measures to prevent future attacks. The hospital is also collaborating with state and federal agencies to share information and best practices for protecting against cyber threats. The full extent of the financial and operational impact of the February cyberattack will become clearer in the coming months, but it serves as a critical reminder of the importance of cybersecurity in modern healthcare.
The hospital expects to provide a more comprehensive financial update in its next public report, scheduled for release in late April. Readers seeking information about cybersecurity threats and resources can visit the Cybersecurity and Infrastructure Security Agency (CISA) website.
What are your thoughts on the increasing threat of cyberattacks on healthcare facilities? Share your comments below, and please share this article with your network.
