A ransomware attack at the University of Hawaii Cancer Center has exposed the sensitive personal information of over 1.2 million people.
The incident affected the Cancer Center’s Epidemiology Division and was detected on or around August 31, 2025, but the exact date of the ransomware attack remains undisclosed.
While the attack resulted in data encryption and exposure of sensitive personal information, the Center took unconventional measures to ensure patient care was unaffected and that the compromised health data was not published online.
University of Hawaii’s ransomware attack leaks sensitive PII of 1.2 million people
The ransomware attack compromised two files containing Social Security numbers (SSNs) and driver’s license numbers collected from the State Department of Transportation in 2000. It also exposed voter registration records from the City and County of Honolulu, Hawaii’s capital, collected in 1998. Both datasets were collected when Social Security Numbers were used as unique identifiers.
Additionally, the ransomware attack compromised health information records from the Multiethnic Cohort (MEC) Study, which recruited 215,000 men and women aged 45 to 75 years. MEC collected data from five main ethnic and racial groups living in Hawaii and Los Angeles, California, between 1993 and 1996. The MEC data breach affected at least 87,493 individuals, who were notified, beginning February 23, 2026.
Similarly, two additional files containing the names and Social Security Numbers collected from public health registries for epidemiological studies between 1999 and the mid-2000s were compromised.
An additional 1.15 million victims, whose leaked personal information included their driver’s license numbers, voter registration details, and Social Security Numbers, were identified, bringing the total to over 1.2 million.
Healthcare organizations under attack
Healthcare organizations are lucrative targets for cybercriminals due to the sensitive nature of the personal information they collect and store.
Recently, hackers breached a French centralized health management information system and compromised sensitive patient data of 1.2 million people, including the HIV/AIDS statuses of some patients.
“Throughout the past year, we have seen healthcare industry breaches which highlight the necessity of preventing unauthorized lateral movement within one’s network,” said Guru Gurushankar, Senior Vice President & GM, Healthcare and Life Sciences at ColorTokens. “This is critical for healthcare organizations to maintain their digital operational resilience in the face of relentless cyberattacks, and it does not appear that there will be any letup from these attacks moving forward. In other words, organizations have to become breach-ready – this is essential to survival.”
University of Hawai’i pays ransom after ransomware attack
The University of Hawaii’s ransomware attack affected one Cancer Center research project, but did not affect clinical operations or patient care.
“There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact to UH student records,” the University stated.
However, the cyber attack resulted in “extensive” data encryption, forcing the University to pay a ransom to obtain the decryption keys to restore impacted systems. Paying the ransom also ensured that the threat actor destroyed the stolen information and did not publish it online, thereby protecting the data privacy of affected individuals.
“When adversaries aggressively encrypt not only primary data stores but also indexing systems and potentially localized backups, the forensic process of identifying what was compromised becomes complex,” said Jason Soroko, Senior Fellow at Sectigo. “Security teams are forced into a recovery phase, having to rebuild systems from the ground up and piece together fragmented data to conduct accurate discovery before they can confidently notify affected individuals.”
Although there is no evidence that the stolen information has been published, misused, or shared, paying the ransom does not guarantee that the threat actor will destroy the stolen data. It could also make the Cancer Center a lucrative target for future ransomware attacks by the same or other cybercrime groups.
While the FBI discourages paying ransoms, it advises organizations to consider the impact of ransomware attacks on their customers, employees, and other stakeholders and make informed decisions. The agency also encourages victim organizations to report all ransomware attacks, as it helps provide critical information about ransomware activity across the country.
Meanwhile, the University is providing 12 months of free identity theft monitoring services, a common practice in such situations. It is also working with the relevant federal law enforcement authorities and external cybersecurity experts to respond to the incident.
