A ransomware gang stole data of nearly 1.2 million people from the University of Hawaii Cancer Center’s Epidemiology Division after a breach in August 2025, it has been said in a notice from the University of Hawaii.
KEY FACTS
- Incident ransomware breach of Epidemiology Division research systems
- Affected individuals nearly 1.2 million people, including 87,493 Multiethnic Cohort participants
- Data exposed names, Social Security numbers, driver’s license numbers, and study health information
- Timeline breach in August 2025; notifications began February 23, 2026
- Mitigation university paid attackers for a decryption tool and alleged secure destruction
The breach targeted systems that supported a single research project in the Cancer Center’s Epidemiology Division. Notification letters were sent beginning February 23 to 87,493 participants in the Multiethnic Cohort Study and to additional contacts found in archived records.
Compromised documents include two files with names and Social Security numbers from a State Department of Transportation document collected in 2000 and voter registration data from 1998. Other exposed files contain Social Security numbers and driver’s license numbers, health information from the Multiethnic Cohort Study collected from 1993 to 1996, three diet and cancer studies, and files from 1999 and the mid 2000s drawn from public health registries.
Attackers encrypted the compromised systems, causing extensive damage and delaying restoration and investigation. The university paid the attackers to obtain a decryption tool and secure destruction of the information the threat actors illegally obtained.
A follow-up investigation report on the exposure is part of the public record. Attackers accessed research files and potentially stole Social Security numbers and driver’s license numbers.
UH Cancer Center director Naoto T. Ueno: “The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted. We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.”
WHY IT MATTERS
The incident exposed sensitive personal data from historical research and public records for nearly 1.2 million people, increasing long term identity risk. The payment to attackers and the targeting of archived research files highlight the challenge of protecting legacy data in academic research.