The University of Mississippi Medical Center may have violated federal privacy law following a ransomware attack that crippled its systems in February, according to a 3 On Your Side investigation. The February ransomware attack crippled systems at the hospital for nine days. Under HIPAA, hospitals must notify the Department of Health and Human Services, affected patients and local media within 60 days when an attack exposes personal information of more than 500 patients. A public records spokesperson said UMMC had no responsive records, meaning it had no documents showing it reported the breach or notified a single patient.