A significant ransomware attack at the University of Hawaii’s Cancer Center has compromised the personal information of approximately 1.24 million individuals. Detected on 31 August 2025, the breach specifically targeted the center’s research systems, particularly affecting servers within the Epidemiology Division. Officials have assured that clinical operations, patient care, and student records remain unaffected.
The data breach encompasses two main groups. The first group includes about 1.15 million individuals whose personal details were obtained from historical records dating back to 1998 and 2000. These records were collected from voter registration databases and the Department of Transportation, following a practice where Hawaii government agencies shared such lists with the university. Unfortunately, during that period, Social Security numbers (SSNs) were often used as primary identifiers, leading to their inclusion in these older recruitment files.
The second group impacted consists of 87,493 participants from the long-running Multiethnic Cohort (MEC) Study, which began in 1993. This study has tracked residents from both Hawaii and Los Angeles, California. Stolen files from this group contained names, addresses, SSNs, and, in some cases, health-related information.
University’s Response and Ransom Payment
Following the breach, the university’s administration engaged with the unidentified threat actors and ultimately made the difficult decision to pay a ransom. This payment was intended to acquire a decryption tool to restore access to their systems and secure assurances regarding the destruction of the stolen data.
In a public notice, Naoto T. Ueno, Director of the Cancer Center, expressed regret over the incident, stating that the center is now focused on “transparency, accountability, and strengthening protections” for data it holds. This is not the first ransomware incident for the University of Hawaii; in June 2023, the NoEscape ransomware group claimed responsibility for a breach that resulted in the theft of 65GB of sensitive data.
For those concerned that their personal details may have been compromised, the university is offering 12 months of free credit monitoring and $1 million in identity theft insurance. A dedicated call centre is now operational at (844) 443-0842 to assist individuals in checking their status. It is crucial for affected individuals to act quickly, as the deadline to enroll for these services is 31 May 2026.
Expert Insights on Cybersecurity Challenges
Cybersecurity experts have weighed in on the challenges posed by such incidents. John Bambenek, President at Bambenek Consulting, highlighted concerns regarding the delay in public notification. He noted that many laws do not mandate notification if data is encrypted, which can leave victims unaware for extended periods. He stated, “The attacker likely had their hands on enough data to engage in identity or credit fraud for six months while the victims were unaware.”
Jason Soroko, Senior Fellow at Sectigo, discussed the complexities that arise when hackers lock up data and indexing systems. He emphasized the need for stronger security measures, such as network segmentation and immutable backups, to reduce vulnerabilities. He remarked, “With certificate-based authentication, organizations can revoke compromised credentials and significantly shrink the window of opportunity a ransomware operator has.”
Guru Gurushankar from ColorTokens pointed out that attacks on the healthcare and research sectors are on the rise. He asserted the necessity for organizations to prepare for breaches to ensure resilience against ongoing threats. Gurushankar stated, “Organizations have to become breach-ready – this is essential to survival,” underscoring the importance of preventing unauthorized access within internal networks.
As this incident unfolds, it serves as a reminder of the critical need for robust cybersecurity measures in protecting sensitive information, particularly within academic and healthcare institutions.