• In August 2025, a ransomware attack targeted servers used by the University of Hawaii Cancer Center as part of a research project. Systems were encrypted by the attackers.
• The breach was isolated to research operations only — clinical care and patient treatment systems were not affected.

What Was Compromised

• The attackers encrypted files and also likely stole data, including some research files containing sensitive personal information of study participants.
• Included in the stolen material were historical documents from the 1990s that contained Social Security numbers used for identifying participants at the time.

Delay in Disclosure

• The university reported the incident to the state legislature in late 2025, months after the August breach.
• This delay raised concerns because state law typically requires breach reporting much sooner.

Notification & Response

• UH has begun the process of notifying affected individuals, though the exact number of people impacted and project details have not been publicly disclosed yet.
• University officials declined to reveal how many Social Security numbers were exposed or whether a ransom was paid.
• UH plans to offer credit monitoring and identity theft protection services to those whose information was compromised.

University’s Actions Post-Attack

• After discovering the breach, the university disconnected affected systems, brought in external cybersecurity experts, and engaged with the threat actors to obtain a decryption tool and safeguard stolen data.
• Security measures were upgraded, including new endpoint protections, firewall replacements, credential resets, and third-party security assessments.

Context & Impact

• The attack highlights how research institutions with legacy datasets can be attractive targets for threat actors — even when clinical systems are unaffected.