A significant ransomware breach at the University of Hawaii’s Cancer Center has impacted approximately 1.24 million individuals. The incident, detected on 31 August 2025, involved a targeted attack on the center’s research systems, specifically affecting servers linked to the Epidemiology Division. University officials confirmed that clinical operations, patient care, and student records remained unaffected by the breach.
The data compromised in this incident includes personal information from two primary groups. The first group consists of around 1.15 million individuals whose details were sourced from historical records collected in 1998 and 2000. These records were derived from voter registration and the Department of Transportation, with Social Security numbers (SSNs) often used as primary identifiers. The second group involves 87,493 participants from the long-running Multiethnic Cohort (MEC) Study, which began in 1993, tracking residents from Hawaii and Los Angeles, California. Stolen files from this group included names, addresses, SSNs, and, in some cases, health-related data.
Following the breach, the university made the decision to engage with the unidentified threat actors and ultimately opted to pay a ransom. This action was taken to secure a decryption tool to unlock their systems and to ensure the destruction of the stolen data. In a statement, the Director of the UH Cancer Center, Naoto T. Ueno, expressed regret over the incident, emphasizing a commitment to transparency and enhancing data protection measures.
This incident is not the first of its kind for the University of Hawaii. In June 2023, the NoEscape ransomware group claimed responsibility for a breach that resulted in the theft of 65GB of sensitive information from the university.
To assist those potentially affected, the university is offering 12 months of free credit monitoring and $1 million in identity theft insurance. A dedicated call center has been set up at (844) 443-0842 to help individuals verify if their information was compromised. It is crucial for affected individuals to act quickly, as the deadline for signing up for these services is 31 May 2026.
Insights from Cybersecurity Experts
Cybersecurity professionals have weighed in on the implications of this breach. John Bambenek, President of Bambenek Consulting, raised concerns regarding the university’s delay in notifying the public. He noted that many laws do not mandate notification if data is encrypted. In this situation, he indicated that the attackers likely accessed enough data to facilitate identity or credit fraud for several months while victims remained unaware.
According to Jason Soroko, Senior Fellow at Sectigo, the aggressive methods used by hackers complicate the process of identifying what information was stolen. He remarked, “Security teams must enforce aggressive network segmentation and deploy immutable, offline backups.” Strengthening authentication processes is essential to safeguard against unauthorized access.
Guru Gurushankar from ColorTokens emphasized the ongoing threat to the healthcare and research sectors. He stated that organizations must become “breach-ready” to defend against these persistent cyberattacks. “Preventing unauthorized lateral movement within networks is critical for maintaining operational resilience,” he added.
As cyber threats continue to evolve, the incident at the University of Hawaii serves as a stark reminder of the vulnerabilities within academic and research institutions. The institution’s commitment to addressing these challenges will be crucial in restoring trust and enhancing its cybersecurity framework moving forward.
