A ransomware attack on the University of Hawaii Cancer Center's Epidemiology Division compromised data for nearly 1.2 million individuals. The stolen information includes Social Security numbers, driver's license numbers, and health data from several research studies, primarily historical files from the 1990s and early 2000s. The university paid the attackers for a decryption tool and to secure the destruction of the stolen data. The incident was isolated to research systems and did not impact clinical operations, patient care, or student records.
The University of Hawaii has confirmed that a ransomware gang stole the data of nearly 1.2 million individuals after breaching its Cancer Center's Epidemiology Division in August 2025.
Founded in 1907, the University of Hawaii (UH) System operates 3 universities and 7 community colleges, as well as multiple campuses and research centers across the Hawaiian Islands. The UH Cancer Center has over 300 faculty and staff, as well as an additional 200 affiliate members.
On February 23, the UH Cancer Center sent notification letters to more than 87,000 people enrolled in its Multiethnic Cohort (MEC) Study between 1993 and 1996. The university is now also notifying all other potentially impacted individuals whose contact details were found (approximately 900,000 email addresses).
"The MEC Study participants potentially impacted a total 87,493 individuals. Additional individuals whose personal information may have been included in the historical driver's license and voter registration records with SSN identifiers number approximately 1.15 million," the university said in a notice published on Friday.
"There was no impact to information held by the UH Cancer Center's Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact to UH student records."
The compromised documents include two files containing names and Social Security numbers (SSNs) from a State Department of Transportation document (collected in 2000) and voter registration data (from 1998), files containing SSNs driver's license (DL) numbers, and health information on the MEC Study (between 1993 and 1996), and three other diet and cancer studies, as well as two more files from 1999 and the mid-2000s with SSNs and names collected from public health registries for epidemiological research.
In a December report to the state legislature, the university revealed that the incident affected a single UH Cancer Center research project and was isolated to systems supporting its Epidemiology Division, and didn't impact clinical operations or patient care.
A follow-up investigation has shown that the attackers accessed research files at the University of Hawaii Cancer Center (UHCC), potentially stealing personal information like Social Security Numbers (SSNs) and driver's license (DL) numbers.
The attackers also encrypted the compromised systems, causing extensive damage and delaying UH's restoration efforts and investigation into the attack's impact.
When it first confirmed the attack, the University of Hawaii also noted that it paid the attackers to obtain a decryption tool and "secure destruction of the information the threat actors illegally obtained" to "protect the individuals whose sensitive information may have been compromised."
"The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted," UH Cancer Center director Naoto T. Ueno added. "We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us."
In July 2023, the Hawaiʻi Community College (part of the University of Hawaii) also confirmed that it paid a ransomware gang to prevent the leak of data stolen from approximately 28,000 people.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
