The University of Hawaii is currently grappling with the repercussions of a significant cyberattack that affected its Cancer Center in 2025. This incident has raised serious concerns as it compromised research systems at the UH Cancer Center and potentially jeopardized sensitive personal information, including Social Security and driver’s license numbers collected over the past decades for epidemiological research purposes.
A report revealed that the data breach was identified in December 2025, although the cyber incident itself was first detected around August 31, 2025. The ransomware attack specifically targeted certain servers that supported research operations at the Cancer Center. This raises questions about the vulnerabilities that exist within academic research institutions, particularly those handling sensitive information.
The University of Hawaii has assured the public that clinical operations, patient care, and medical records were not affected by this breach. Additionally, there was no impact on student records or other divisions within the University of Hawaii system. The compromised data was strictly limited to research files, making it imperative for the university to clarify the scope of the breach to maintain the trust of its stakeholders.
Details of the Data Compromise
During the cyberattack, an unauthorized third party gained access to specific research servers, ultimately encrypting and potentially exfiltrating some data. Notably, the compromised files included two documents containing names alongside Social Security numbers. Another file revealed Hawaiʻi driver’s license numbers collected from the State Department of Transportation back in 2000, with these identifiers generally linked to Social Security numbers. Furthermore, a file containing voter registration information acquired from the City and County of Honolulu in 1998 also surfaced, where identifiers like Social Security numbers were commonly used.
These historical records played an essential role in recruiting participants for long-term epidemiological studies, particularly the Multiethnic Cohort (MEC) Study. This initiative, which began in 1993, was instrumental in understanding the health disparities among various ethnic groups.
Impact on Research Initiatives
The cyber breach may have affected approximately 87,493 participants involved in the long-running MEC Study. Established over two decades ago, this study has been a vital resource in understanding the health implications of different ethnicities in Hawaiʻi and Los Angeles. Beyond the MEC participants, data from an estimated 1.15 million additional individuals might have been involved, given the compromised historical driver’s license and voter registration records containing Social Security identifiers.
In light of these alarming figures, ongoing investigations aim to determine whether other sensitive information was included in the breach. The University of Hawaii has indicated that findings of any additional affected data are expected to be minimal, and affected individuals will be separately notified when feasible.
University’s Measures and Law Enforcement Involvement
In response to the cyberattack, the University of Hawaii acted swiftly by disconnecting the impacted systems and striving to eliminate unauthorized access. They enlisted third-party cybersecurity experts to evaluate the extent of the breach. Restoration of the systems was hampered due to the extensive encryption utilized by the perpetrators, resulting in a timely and challenging recovery.
During the investigation, it became evident that an unauthorized entity had not only accessed but likely exfiltrated a subset of research files. To safeguard the affected individuals, the university took the additional step of engaging with the threat actors to retrieve affected data. Collaboration with cybersecurity specialists enabled the university to obtain a decryption tool, with assurances that the unlawfully obtained information was destroyed. Currently, there is no evidence suggesting that this information has been disseminated or misused.
The affected files initially appeared to contain research content devoid of personal identifiers. However, a subsequent third-party electronic examination identified files dating back to the 1990s that contained Social Security numbers previously used for research participant identification. This has heightened concerns about the long-term implications of data security within such institutions.
Notification and Resources for Affected Individuals
On February 23, the university dispatched notification letters to the 87,493 impacted MEC Study participants. The university has also provided electronic communication updates to roughly 900,000 email addresses, issued a public announcement, and launched a dedicated UH Cancer Center Cyberattack Information and Resource Website. This level of transparency is crucial in maintaining trust with the community and stakeholders.
Affected individuals are being offered practical solutions, including 12 months of complimentary credit monitoring and $1 million in identity theft insurance, which emphasizes the university’s commitment to mitigating the fallout from this incident.
System-wide Security Overhauls
In light of this unfortunate event, the University of Hawaii has instituted extensive cybersecurity upgrades. Initiatives include the installation of endpoint protection software with 24/7 monitoring, rebuilding compromised systems, and resetting passwords alongside the migration of sensitive research servers to the UH Information Technology Services data center.
The university has also reinforced its access control measures, conducted third-party security assessments, and initiated mandatory cybersecurity training across all campuses. The establishment of an Information Security Governance Council for Research serves to further enhance the institution’s commitment to data protection, security roles, and policy updates.
Naoto T. Ueno, the director of the UH Cancer Center, expressed remorse about the incident, emphasizing the commitment to transparency and accountability. University President Wendy Hensel echoed these sentiments, noting that a comprehensive, system-wide response is paramount for safeguarding data integrity.
As investigations progress, the University of Hawaii has pledged to provide supplementary reports to stakeholders detailing the full scope of the impacted individuals and any additional findings. The ongoing commitment to refining data protection protocols underscores the institution’s responsibility to those they serve.