A ransomware attack on the University of Hawaiʻi Cancer Center exposed personal data of 1.2 million people.

A 2025 ransomware attack targeting the University of Hawaiʻi Cancer Center compromised the personal information of about 1.2 million individuals.

The attack hit the University of Hawaiʻi Cancer Center on August 31, 2025, impacting servers that support research operations but not clinical care or patient services. Officials engaged with the threat actors to obtain a decryption tool and secure assurances that exfiltrated data was destroyed, but did not disclose whether a ransom was paid.

“On or about August 31, 2025, UHCC learned that it was the victim of a cyberattack isolated to specific systems that support its Epidemiology Division.” reads General Incident Overview. “The unauthorized third party encrypted large amounts of data, and provided proof that it had potentially exfiltrated a portion of that data. There was no impact to information held by the UHCC’s Clinical Trials operations, patient care or any other divisions, and there was no impact to student records.”

After detecting unauthorized access to research files, UHCC disconnected affected systems, removed the threat actor.

At the time of the incident, the organization notified law enforcement and investigated the security breach with the help of external cybersecurity experts.

Stolen data includes names, Social Security numbers, driver’s license details, voter registration records, and health-related information, raising serious concerns about identity theft and long-term privacy risks for those affected.

The breach involved three main groups. First, two legacy files from 1998–2000 containing names and SSNs, drawn from Hawaii driver’s license and voter registration records, which at the time often used SSNs as identifiers. Second, files tied to the Multiethnic Cohort Study and other cancer research projects, including names, addresses, SSNs, limited health data, and registry information. Third, additional research registry files with names and SSNs collected from public health sources for epidemiological studies.

Most of the exposed data relates to a long-running study launched in 1993 that recruited over 215,000 participants. Records of 87,493 participants were compromised, including names, Social Security numbers, and in some cases research and health information.

“There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact on UH student records,” the institution says.

The University of Hawaiʻi is offering affected individuals 12 months of free credit monitoring and identity theft protection services.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, University of Hawaiʻi Cancer Center)

The University of Hawaii is confronting the fallout from the 2025 UH Cancer Center cyberattack. The breach affected research systems at the University of Hawaiʻi Cancer Center and potentially exposed sensitive personal data, including Social Security numbers and driver’s license numbers, collected decades ago for epidemiological research.  According to an official report, the discovery of the data exposure occurred in December 2025. However, the cybersecurity incident itself was first identified on or about August 31, 2025. The ransomware attack was isolated to specific servers supporting research operations at the Cancer Center.  The University of Hawaii confirmed that the UH Cancer Center cyberattack did not affect clinical operations, patient care, or medical records. There was also no impact on student records or other divisions within the University of Hawaii system.  The affected data was contained strictly within research files and not connected to patient treatment records. 

What Data Was Involved in the UH Cancer Center Cyberattack 

During the UH Cancer Center cyberattack, an unauthorized third party encrypted and potentially exfiltrated data from certain research servers. The compromised files included:

• Two files containing names paired with Social Security numbers. 
• One file included Hawaiʻi driver’s license numbers collected in 2000 from the State Department of Transportation. At that time, driver’s license numbers were typically based on Social Security numbers. 
• The second file contained voter registration information collected in 1998 from the City and County of Honolulu, where identifiers also commonly included Social Security numbers. 

These historical records were primarily used to recruit participants for long-term epidemiological research, particularly the Multiethnic Cohort (MEC) Study. 

Impact on the Multiethnic Cohort Study 

The UH Cancer Center cyberattack potentially impacted 87,493 participants in the long-running Multiethnic Cohort Study. Established in 1993, the MEC Study recruited more than 215,000 men and women between the ages of 45 and 75 from 1993 to 1996. Participants came from five primary racial and ethnic groups residing in Hawaiʻi and Los Angeles, California.  Additional affected research included three epidemiological studies focused on diet and cancer, specifically colorectal adenomas (with recruitment spanning 1995–2007) and colon cancer (1994–2005). These files contained names combined with Social Security numbers and/or driver’s license numbers. Some files also included participant questionnaires, health-related research data, and information sourced from national and state public health registries.  Two additional files containing names and Social Security numbers collected from public health registries were also compromised. One of those files stopped accepting new names in 1999, while the other closed in the mid-2000s.  Beyond the 87,493 MEC participants, approximately 1.15 million additional individuals may have had their information included in historical driver’s license and voter registration records that contained Social Security identifiers.  Investigations remain ongoing to determine whether other sensitive information was involved. The University of Hawaii has stated that any additional findings are expected to be nominal, and affected individuals will be notified separately where possible. 

University Response and Law Enforcement Involvement 

Following the discovery of the UH Cancer Center cyberattack, the University of Hawaii immediately disconnected the affected systems and worked to terminate unauthorized access. Third-party cybersecurity experts were retained to investigate the scope of the breach.  Due to the extensive encryption deployed by the threat actors, restoration of systems took time. During the investigation, it was determined that an unauthorized third party had accessed and had the opportunity to exfiltrate a subset of research files.  While the review was underway, the university made the decision to engage with the threat actors in an effort to protect affected individuals. Working with cybersecurity specialists, the University of Hawaii obtained a decryption tool and secured affirmation that the unlawfully obtained data was destroyed. As of now, officials report no evidence that the information has been published, shared, or misused.  Initially, most of the affected files appeared to contain research data without personal identifiers. However, a more detailed third-party electronic review confirmed the presence of files dating back to the 1990s that contained Social Security numbers used at that time to identify research participants.  After confirming the exposure, the University of Hawaii initiated notification procedures in accordance with §487N-4 of the Hawaiʻi Revised Statutes. 

Notification and Support for Affected Individuals 

On February 23, notification letters were mailed to 87,493 MEC Study participants. The University of Hawaii also identified approximately 900,000 email addresses and is providing notice through electronic communication, a public announcement, and a dedicated UH Cancer Center Cyberattack Information and Resource Website.  Affected individuals are being offered: 

• 12 months of free credit monitoring 
• $1 million in identity theft insurance 

Officials have advised the public to rely only on updates posted through official University of Hawaii channels and to disregard unsolicited websites or social media messages requesting personal information. 

Systemwide Security Enhancements 

In response to the UH Cancer Center cyberattack, the University of Hawaii has implemented extensive cybersecurity upgrades. These measures include: 

• Installing endpoint protection software with 24/7 monitoring 
• Rebuilding compromised systems 
• Resetting passwords and replacing affected user accounts 
• Migrating sensitive research servers into the UH Information Technology Services data center 
• Replacing and upgrading firewalls with enhanced security controls 
• Conducting third-party security assessments 
• Enforcing stricter access controls and mandatory cybersecurity training 

Additionally, the University of Hawaii created a new Information Security Governance Council for Research and established an Information Security Task Force to update policies, strengthen cybersecurity roles, and recommend enterprise-level controls.  Naoto T. Ueno, director of the UH Cancer Center, stated:  “The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted. We take this matter extremely seriously and are committed to transparency, accountability, and strengthening protections for the research data entrusted to us.”  University of Hawaii President Wendy Hensel emphasized the broader response:  “This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed. We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”  As investigations continue, the University of Hawaii has indicated it will supplement its legislative report once the full scope of impacted individuals is confirmed.