A ransomware attack on August 31, 2025 breached the Cancer Center in Honolulu and led to theft of study participant data, including 1990s documents containing Social Security numbers, the University of Hawaii said in a report to the state legislature.
KEY FACTS
- Incident August 31, 2025 ransomware breach
- Affected Single research project at the Cancer Center
- Data exposed Study participant files including 1990s documents with Social Security numbers
- Response Decryption tool obtained and stolen data removed
The incident affected a single research project and did not impact clinical operations or patient care.
Extensive encryption of compromised systems delayed restoration efforts and slowed the investigation into the attack’s impact.
Initial reviews found most files were research data without personal identifiers. Further analysis uncovered older files from the 1990s that included Social Security numbers used to identify participants before different identification methods were adopted.
External cybersecurity experts assisted to obtain a decryption tool and to secure destruction of the information taken by the attackers. Measures taken include installing endpoint protection, replacing compromised systems, resetting passwords, replacing firewall software, and conducting third party security audits. Notification to affected individuals has not yet occurred and will be done once contact information is determined.
WHY IT MATTERS
The exposure of Social Security numbers raises long term identity risk for study participants and highlights the difficulty of protecting legacy research records. The incident shows the operational and privacy impacts ransomware can have on research institutions.