The University of Hawaiʻi Cancer Center has confirmed that a ransomware attack on its epidemiology division last year exposed highly sensitive personal data belonging to up to approximately 1.2 million individuals, including Social Security numbers and driver’s license identifiers.

The incident, first detected by the university on August 31, 2025, involved an unauthorized third-party breach of servers supporting long-term public health research. In a statement released in late February 2026, UH Cancer Center officials said the ransomware attack encrypted and likely exfiltrated historical research files — a subset of which contained personally identifiable information (PII).

“This cyberattack requires a comprehensive, systemwide response,” said UH President Wendy Hensel, emphasising the institution’s commitment to transparency and future safeguards.

Scope and Affected Data

According to university disclosures:

• The breach affected servers used by the Epidemiology Division, including data from the Multiethnic Cohort (MEC) Study, which enrolled tens of thousands of participants between 1993 and 1996.
• Notification letters have been mailed to about 87,493 study participants whose records contained identifiable data.
• An estimated 1.15 million additional individuals may have had personal identifiers exposed through archival state records, including driver’s license and voter registration databases from the late 1990s and early 2000s.
• Investigators said the electronic medical record system, clinical trials data, patient care systems, and UH student records were not impacted by the breach.

University Response and Ransom Engagement

The university engaged third-party cybersecurity experts to investigate and mitigate the intrusion. Officials said they paid a ransom to the threat actors to obtain a decryption tool and secure a commitment that the stolen data would be destroyed — a difficult decision in light of the sensitive personal information involved.

UH reported the attack to law enforcement and has since worked to restore affected systems. University representatives stated there is currently no evidence that any compromised data has been published, shared, or misused.

Support for Affected Individuals

To help those potentially affected, UH has established a call center and is offering support services including:

• 12 months of free credit monitoring
• Identity theft protection services with insurance coverage
• Assistance through dedicated helpline resources for individuals seeking more information or confirmation of impact.

Notification emails have been sent to approximately 900,000 individuals for whom contact information was identified, while formal breach notices continue to be published on official UH websites.

Broader Cybersecurity Implications

The attack highlights ongoing risks facing research institutions and underscores the vulnerability of legacy data systems that may contain outdated but sensitive personal identifiers. Experts say the incident echoes a broader trend of ransomware groups targeting universities and research centers, often gaining access to archived datasets with minimal current security oversight.

UH has since implemented expanded cybersecurity measures—including enhanced monitoring, upgraded firewalls, and stricter access controls—and initiated an institution-wide review of information technology systems across all campuses.