University of Hawaiʻi Cancer Center discloses ransomware breach, up to 1.15 million records exposed

The University of Hawaiʻi Cancer Center disclosed that a ransomware intrusion first detected Aug. 31, 2025 encrypted servers used by its Epidemiology Division and potentially exposed legacy research and recruitment records containing Social Security numbers, driver’s license identifiers and voter-registration data for roughly 1.15 million people, the university said. The center mailed letters on Feb. 23 to 87,493 participants in its Multiethnic Cohort Study and said it had identified about 900,000 email addresses for broader notification.

University officials said the attack targeted research servers rather than clinical systems; patient care, clinical trials and student records were not affected. The university engaged third-party cybersecurity experts, obtained a decryption tool and said it paid a ransom after receiving an affirmation from the threat actors that stolen files would be destroyed. The university also notified law enforcement and opened call centers and a web resource for affected individuals starting March 2.

Files on the compromised servers included decades of research data and archived recruitment lists assembled in the late 1990s and early 2000s, the university said. Those legacy records included Hawaii Department of Transportation driver’s license extracts from about 2000 and Honolulu voter registration files from 1998, both of which at the time contained Social Security numbers as identifiers. The university said some research questionnaires and protected health information tied to participants were also on the servers. Officials added that, to date, there is no evidence that any of the information has been published, shared or misused.

Security monitoring firm UpGuard published an independent estimate that about 1.24 million individuals could have been affected, a higher figure than the university’s approximate 1.15 million. The discrepancy has not been reconciled publicly as investigators continue a broader forensic review to determine the full scope of files exfiltrated before and during encryption.

The university is offering 12 months of free credit monitoring and $1 million in identity theft insurance to people potentially affected and has pledged to notify additional individuals separately if further data is found to be involved. Investigators said the extensiveness of the encryption delayed restoration and complicated efforts to identify which individuals’ records were taken, requiring months to decrypt files and complete initial forensic work.

Beyond immediate remediation, the breach raises questions about data governance in academic research and the public-health consequences of long-retained personal identifiers. The Multiethnic Cohort Study is a long-running research project that relies on participant trust and community engagement; the loss or disclosure of sensitive legacy identifiers could chill recruitment, undermine ongoing work, and disproportionally affect communities already burdened by health inequities if participants feel their privacy is not protected.

University of Hawaiʻi Cancer Center Director Naoto Ueno said, “The [University of Hawaiʻi] Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted. We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.” Investigators continue to seek technical details about the intrusion, the identity of the ransomware group and independent verification of the attackers’ destruction claims as the university works to restore trust and safeguard sensitive research data.