University of Hawaiʻi Cancer Center Data Breach Exposes Sensitive Information of Over a Million Individuals

Introduction to the Breach

In a significant cybersecurity incident, the University of Hawaiʻi Cancer Center fell victim to a ransomware attack that compromised sensitive personal information belonging to potentially over a million individuals. This breach, which occurred in August 2025, has raised serious concerns about data security in academic and medical research institutions. The attack targeted the center's Epidemiology Division, where valuable research data was stored on servers. Hackers not only encrypted the files, making them inaccessible, but also exfiltrated portions of the data, putting personal identifiers at risk. Although the university has taken swift action to mitigate the damage, the event underscores the growing threats facing organizations that handle large volumes of personal and health-related information.

Background on the University of Hawaiʻi Cancer Center and Affected Studies

The University of Hawaiʻi Cancer Center is a leading research institution dedicated to understanding, preventing, and treating cancer, with a particular focus on the diverse populations of Hawaii and the Pacific region. As part of the University of Hawaiʻi system, it conducts groundbreaking studies that contribute to global knowledge on cancer epidemiology. One of the primary studies impacted by this breach is the Multiethnic Cohort Study, a long-term research project initiated between 1993 and 1996. This study involved recruiting approximately 215,000 participants aged 45 to 75 from five major racial and ethnic groups, including Japanese Americans, Native Hawaiians, African Americans, Latinos, and Caucasians. Around 104,000 of these participants were from Hawaii, with the remainder from California.

The Multiethnic Cohort Study aimed to explore cancer risks and factors influencing health outcomes across different ethnicities. To facilitate recruitment, researchers utilized historical records such as driver's license data from the Hawaii State Department of Transportation collected in 2000 and voter registration records from the City and County of Honolulu gathered in 1998. During those periods, driver's license and voter identification numbers often incorporated Social Security numbers, a practice that has since been discontinued but left a legacy of sensitive data in research archives. In addition to the Multiethnic Cohort Study, three other epidemiological studies focused on diet and cancer, with recruitment spanning from 1994 to 2007, were also affected. These studies included participant questionnaires, health-related information, and linkages to national and state public health registries.

Details of the Cyberattack

The cyberattack was detected on August 31, 2025, after hackers gained unauthorized access to the Cancer Center's servers. The intruders encrypted the files, rendering them unusable without a decryption key, and potentially copied sensitive data before their activities were halted. The compromised information was housed in a subset of research files specifically supporting the epidemiology research operations. This included two files that combined Social Security numbers with names from public health registries, which had been closed to new entries by 1999 and the mid-2000s.

Fortunately, the breach did not extend to the Cancer Center's clinical trials operations, patient care systems, or other divisions. It also spared University of Hawaiʻi student records and electronic medical record systems. However, the stolen data encompassed Social Security numbers, driver's license numbers, and health-related research information, creating a substantial risk for identity theft and privacy violations if misused. Investigations have shown no evidence that the exfiltrated data has been published, shared, or exploited by the attackers to date, but the potential for future harm remains a concern.

Scope of the Impact

The breach has a broad reach, affecting up to 1.15 million individuals whose personal information may have been exposed through the historical driver's license and voter registration records. Of these, approximately 87,493 participants from the Multiethnic Cohort Study and related research projects are directly impacted, as their health and personal data were part of the compromised files. An additional 900,000 people, whose details were included in the broader recruitment datasets, could also be at risk.

The affected individuals span residents of Hawaii and California, reflecting the geographic focus of the studies. The inclusion of Social Security numbers from outdated identification practices amplifies the severity, as these numbers are key to financial and identity security. While the university continues to investigate whether any additional sensitive information was accessed, it anticipates that such cases will be minimal. Those identified in ongoing reviews will receive separate notifications to ensure transparency.

University's Response and Mitigation Efforts

Upon discovering the attack, the University of Hawaiʻi immediately notified law enforcement agencies and engaged third-party cybersecurity experts to investigate and respond. These specialists assisted in obtaining a decryption tool to restore access to the encrypted files and worked to confirm that any stolen data held by the hackers was destroyed. This collaborative effort helped contain the incident without disrupting clinical or patient care activities.

To support those potentially affected, the university has implemented a comprehensive notification and assistance program. On February 23, 2026, letters were mailed to the 87,493 directly impacted study participants, informing them of the breach and offering protective services. A public announcement followed on February 27, 2026, accompanied by emails to around 900,000 individuals with identifiable contact information. Affected parties are eligible for 12 months of free credit monitoring and up to one million dollars in identity theft insurance to safeguard against potential fraud.

A dedicated call center was established, operational from March 2, 2026, with hours adjusted for Hawaii Standard Time. Individuals can contact the center at (844) 443-0842 for verification of involvement and enrollment in protective services. Additionally, the university launched a resource website at hawaii.edu/cancercenter/incident, providing updates and guidance. Users are advised to ignore any unsolicited communications claiming to represent the university and requesting personal details, as these could be phishing attempts.

Enhancements to Cybersecurity Measures

In the wake of the breach, the University of Hawaiʻi Cancer Center has undertaken extensive improvements to its security infrastructure. The network has been redesigned and hardened against future threats, with modern endpoint protection extended across systems and monitored around the clock. Sensitive research servers have been upgraded and migrated to the university's central Information Technology Services data center for better oversight. Stricter access controls have been enforced, limiting who can view or handle sensitive data, and mandatory cybersecurity training has been rolled out for all staff members.

On a broader scale, University of Hawaiʻi President Wendy Hensel has initiated a full review of information technology systems across all 10 campuses in the system. This includes forming an Information Security Governance Council for Research to coordinate efforts and an Information Security Task Force to update policies, define roles, and recommend necessary investments. Independent third parties have been brought in to validate these new controls, ensuring robustness. These measures reflect a commitment to preventing similar incidents and protecting the integrity of research data moving forward.

Implications for Research Institutions

This data breach highlights the vulnerabilities inherent in academic research environments, where vast amounts of personal and health data are collected over decades for scientific advancement. Universities like the University of Hawaiʻi are prime targets for cybercriminals due to their extensive networks and valuable datasets. The incident serves as a reminder of the need for ongoing vigilance, regular updates to security protocols, and the importance of phasing out legacy data practices that incorporate sensitive identifiers like Social Security numbers.

Beyond the immediate risks to individuals, such attacks can erode public trust in research institutions, potentially deterring future participation in vital studies. The financial and reputational costs are also substantial, with expenses for investigations, notifications, and system upgrades adding up quickly. As cyber threats evolve, institutions must prioritize cybersecurity as a core component of their operations, integrating it into every aspect of data management.

Conclusion

The University of Hawaiʻi Cancer Center data breach is a stark example of the challenges faced by research organizations in an increasingly digital world. While the university's prompt response and lack of evidence of data misuse offer some reassurance, the exposure of over a million Social Security numbers and related information demands continued caution from those affected. By bolstering its defenses and providing support to victims, the center demonstrates accountability and a dedication to safeguarding sensitive information. As investigations conclude and security enhancements take hold, this incident may ultimately strengthen the resilience of the entire University of Hawaiʻi system against future cyber threats.