UH Cancer Center Breach Exposes Data of 1.2 Million
â–¼ Summary
– A ransomware attack on the University of Hawaii Cancer Center’s Epidemiology Division in August 2025 compromised the data of nearly 1.2 million individuals.
– The stolen data includes names, Social Security numbers, driver’s license numbers, and health information from historical research files and public records.
– The breach was isolated to research systems and did not impact clinical trials, patient care, or student records.
– The university paid the attackers for a decryption tool and to supposedly destroy the stolen data to protect those affected.
– This is the second such incident for the University of Hawaii system, following a 2023 ransomware payment by one of its community colleges.
A significant data breach at the University of Hawaii Cancer Center has compromised the personal information of roughly 1.2 million individuals, following a ransomware attack discovered in August 2025. The university confirmed that the incident was isolated to systems within the Cancer Center’s Epidemiology Division, specifically impacting a single research project. Crucially, clinical operations, patient care, and all student records remained unaffected.
The breach involved a wide array of sensitive historical data. Compromised files included names and Social Security numbers (SSNs) from a 2000 state transportation document and 1998 voter registration records. Additionally, files containing driver’s license numbers and health information related to the Multiethnic Cohort (MEC) Study, conducted between 1993 and 1996, were accessed. Data from several other diet and cancer studies, along with files from public health registries dating to 1999 and the mid-2000s, were also exposed.
Notification efforts are currently underway. The UH Cancer Center has already sent letters to more than 87,000 participants of the MEC Study. The university is now in the process of alerting an additional 900,000 individuals whose contact information, primarily email addresses, was found in the breached files. In total, the university estimates that approximately 1.15 million people had their personal details, including SSNs, exposed through the historical driver’s license and voter registration records.
Beyond stealing data, the attackers encrypted the compromised systems, which caused extensive damage and significantly delayed restoration and investigation efforts. In a concerning disclosure, the University of Hawaii admitted it paid the ransomware gang. The payment was made to obtain a decryption tool and to supposedly secure the destruction of the stolen information, a move the university stated was intended to protect those whose data was compromised.
This is not the first time a University of Hawaii entity has paid a ransom. In July 2023, HawaiÊ»i Community College also confirmed it paid a ransomware group to prevent the leak of data stolen from about 28,000 people. The UH Cancer Center’s director, Naoto T. Ueno, expressed deep regret over the new incident. “We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us,” Ueno stated.
(Source: Bleeping Computer)
