Key Findings

• A ransomware attack on the University of Hawaiʻi (UH) Cancer Center compromised personal data of approximately 1.2 million individuals.

• The attack, detected on August 31, 2025, targeted servers supporting the center's Epidemiology Division and did not impact clinical operations, patient care, or student records.

• The stolen data includes names, Social Security numbers, driver's license details, voter registration records, and health-related information, raising concerns about identity theft and long-term privacy risks.

• The breach involved three main groups: 1.15 million individuals from historical records collected in 1998-2000, 87,493 participants of the Multiethnic Cohort Study, and additional research registry files.

• The university engaged with the threat actors, obtained a decryption tool, and secured a promise that the stolen data was destroyed, but it is unclear if a ransom was paid.

Background

The University of Hawaiʻi (UH) has confirmed that a major security breach at its Cancer Center has significantly affected more people than first thought, with the total now reaching approximately 1.24 million individuals. The incident, which was first detected on 31 August 2025, involved a ransomware attack that targeted the center's research systems.

Stolen Data and Affected Groups

The breach involved three main groups of affected individuals:

1. About 1.15 million individuals whose personal details were found in historical records collected in 1998 and 2000 from voter registration and the Department of Transportation. These records often included Social Security numbers as primary identifiers.

2. 87,493 participants of the long-running Multiethnic Cohort (MEC) Study, which started in 1993 and followed residents from Hawaii and Los Angeles. The stolen files for this group included names, addresses, Social Security numbers, and in some cases, health-related information.

3. Additional research registry files with names and Social Security numbers collected from public health sources for epidemiological studies.

University's Response and Experts' Perspectives

The university engaged with the threat actors and obtained a decryption tool to unlock their systems, as well as a promise that the stolen data was destroyed. However, it is unclear if a ransom was paid.

Cybersecurity experts raised concerns about the long delay in notifying the public, as many laws do not require a notice if the data is encrypted. They also emphasized the need for stronger network segmentation, offline backups, and improved authentication methods to make lateral movement more difficult for ransomware operators.

Experts noted that these types of attacks on the healthcare and research industry are not slowing down, and it is essential for organizations to become "breach-ready" to maintain their resilience against these relentless threats.

The University of Hawaiʻi is offering affected individuals 12 months of free credit monitoring and identity theft protection services.

Sources

• https://hackread.com/ransomware-breach-university-of-hawaii-cancer-center/

• https://securityaffairs.com/188876/data-breach/data-breach-at-university-of-hawai%ca%bbi-cancer-center-impacts-1-2-million-individuals.html

• https://www.ctrlaltnod.com/news/hawaii-cancer-center-ransomware-attack-hits-1-2m-records/

• https://www.reddit.com/r/TechNadu/comments/1rjlro8/university_of_hawai%CA%BBi_cancer_center_ransomware/