University of Hawaiʻi Cancer Center says up to 1.2 million affected in ransomware breach

The University of Hawaiʻi Cancer Center confirmed that a ransomware attack on its epidemiology division last year exposed sensitive information belonging to up to 1.2 million individuals, including Social Security and driver’s license numbers.

The cyber incident was first detected on Aug. 31, 2025, and affected certain servers supporting the center’s epidemiology research operations. University officials said the attackers encrypted and likely exfiltrated data from a subset of research files. Law enforcement was notified, and cybersecurity experts were brought in to investigate and assist with recovery.

Compromised records included Social Security numbers and driver’s license numbers originally collected from the Hawaiʻi State Department of Transportation, as well as voter registration records from the City and County of Honolulu dating back to 1998. Some exposed files also contained health-related information tied to research studies.

Part of the breach involved the Multiethnic Cohort Study, an epidemiological research initiative established in 1993. The university used driver’s license and voter registration records to recruit participants for the study. Officials said 87,493 study participants had information stolen. In addition, approximately 1.15 million individuals whose personal information may have been included in historical driver’s license and voter registration records with Social Security identifiers were potentially affected.

Files related to three additional epidemiological studies focused on diet and cancer were also accessed. The investigation remains ongoing to determine whether other sensitive information was compromised.

University officials acknowledged that the scale of encryption carried out by the attackers delayed system restoration and impact assessment. During the investigation, the university engaged with the threat actors in an effort to protect affected individuals. A cybersecurity firm secured a decryption tool and obtained confirmation that any acquired information was destroyed.

The university said there is no evidence that the stolen data has been published, shared or misused. The group responsible for the attack has not been identified.

The ransomware incident did not affect clinical trials operations, patient care services or other divisions within the University of Hawaiʻi Cancer Center.

Naoto Ueno, director of the University of Hawaiʻi Cancer Center, issued an apology and said the organization is committed to transparency. University of Hawaiʻi President Wendy Hensel said she has initiated a comprehensive review of information technology systems across all 10 campuses to strengthen cybersecurity protections.