Data breach at University of Hawaiʻi Cancer Center impacts 1.2 Million individuals

Data breach at University of Hawaiʻi Cancer Center impacts 1.2 Million individuals

Pierluigi Paganini
March 04, 2026

A ransomware attack on the University of Hawaiʻi Cancer Center exposed personal data of 1.2 million people.

A 2025 ransomware attack targeting the University of Hawaiʻi Cancer Center compromised the personal information of about 1.2 million individuals.

The attack hit the University of Hawaiʻi Cancer Center on August 31, 2025, impacting servers that support research operations but not clinical care or patient services. Officials engaged with the threat actors to obtain a decryption tool and secure assurances that exfiltrated data was destroyed, but did not disclose whether a ransom was paid.

“On or about August 31, 2025, UHCC learned that it was the victim of a cyberattack isolated to specific systems that support its Epidemiology Division.” reads General Incident Overview. “The unauthorized third party encrypted large amounts of data, and provided proof that it had potentially exfiltrated a portion of that data. There was no impact to information held by the UHCC’s Clinical Trials operations, patient care or any other divisions, and there was no impact to student records.”

After detecting unauthorized access to research files, UHCC disconnected affected systems, removed the threat actor.

At the time of the incident, the organization notified law enforcement and investigated the security breach with the help of external cybersecurity experts.

Stolen data includes names, Social Security numbers, driver’s license details, voter registration records, and health-related information, raising serious concerns about identity theft and long-term privacy risks for those affected.

The breach involved three main groups. First, two legacy files from 1998–2000 containing names and SSNs, drawn from Hawaii driver’s license and voter registration records, which at the time often used SSNs as identifiers. Second, files tied to the Multiethnic Cohort Study and other cancer research projects, including names, addresses, SSNs, limited health data, and registry information. Third, additional research registry files with names and SSNs collected from public health sources for epidemiological studies.

Most of the exposed data relates to a long-running study launched in 1993 that recruited over 215,000 participants. Records of 87,493 participants were compromised, including names, Social Security numbers, and in some cases research and health information.

“There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact on UH student records,” the institution says.

The University of Hawaiʻi is offering affected individuals 12 months of free credit monitoring and identity theft protection services.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, University of Hawaiʻi Cancer Center)

---

---

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: breach, Breaking News, cancer, Center, Cybercrime, Data, data breach, hacking, hacking news, Hawaiʻi, impacts, individuals, information security news, IT Information Security, Malware, million, Pierluigi, Pierluigi Paganini, Security, Security Affairs, Security News, University, University of Hawaiʻi, University of Hawaiʻi Cancer Center