Cyber Incident Victim: University of Hawaiʻi Cancer Center
Date:
Aug 2025
Location:
United States of America
Summary
The University of Hawaiʻi Cancer Center experienced a ransomware attack that compromised the personal information of approximately 1.2 million individuals. The breach exposed names, Social Security numbers, driver’s license details, voter registration records, and for some study participants, health and research-related data, while the university reported no impact on clinical operations, patient care, or student records. The institution engaged with the threat actors to obtain a decryption tool and ensure the destruction of exfiltrated data, and is providing affected individuals with twelve months of free credit monitoring and identity theft services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 31, 2025, the University of Hawaiʻi Cancer Center experienced a ransomware attack that encrypted servers supporting its research operations. The university’s incident notice described the extensiveness of the encryption by the threat actors as making it difficult to restore the affected systems and to assess the full scope of compromised data. In response to the attack, the institution engaged directly with the threat actors in an effort to protect the individuals whose sensitive information might have been exposed. Through this engagement the university obtained a decryption tool that allowed it to regain access to the encrypted data. The university also stated that it ensured the destruction of any data that had been exfiltrated by the attackers, although it did not disclose any details about a ransom payment. The attack did not affect the center’s clinical trials operations, patient care, or any other divisions of the UH Cancer Center, nor did it impact university student records.
The compromised data primarily originated from a long‑running research study that was established in 1993 and had recruited more than 215,000 participants between 1993 and 1996. Records of 87,493 of those study participants were affected, exposing their names, Social Security numbers, and, for some individuals, research‑related and health information. In addition to the study records, the breach exposed the names, driver’s license details, Social Security numbers, and voter registration records of approximately 1.15 million other individuals. Altogether, the personal information of about 1.2 million people was compromised in the incident. The university emphasized that no information held by its Clinical Trials operations, patient care services, or other divisions was impacted, and that student records remained secure.
To assist those affected, the University of Hawaiʻi is providing twelve months of free credit monitoring and identity theft services to all individuals whose data was involved in the breach. The institution said its investigation into any additional potentially compromised information continues, with support from law enforcement agencies and cybersecurity experts. The university noted that it will keep monitoring the situation and will provide further updates as the inquiry progresses.