The University of Hawai’i (UH) recently made headlines as it revealed that its Cancer Center fell victim to a ransomware attack, leading to the exposure of sensitive research data. This troubling incident even involved Social Security numbers from some study participants that date back to the 1990s.
As detailed in a report filed with the state Legislature in December 2025, UH clarified that the breach was confined to specific servers that support research operations in the Cancer Center located in Honolulu’s Kakaako district. Importantly, the university assured the public that clinical operations, patient care, and medical treatment records remained unaffected.
Breach Limited to Research Systems
According to UH officials, the attack was detected around August 31, 2025, and swift action was taken to contain it. The compromised systems were immediately disconnected, and measures were implemented to halt unauthorized access and minimize data risks. Cybersecurity experts were quickly brought in to investigate the incident’s nature and scope.
Initial assessments indicated that most affected files were associated with a single cancer research study and primarily contained research data without personal identifiers. However, a deeper electronic review later revealed older files from the 1990s that contained Social Security numbers, which had been used to identify research participants before more secure identification methods were adopted.
Ransom Paid to Regain Access and Secure Data Destruction
In a difficult decision, UH engaged with the attackers to protect the individuals whose sensitive information might have been compromised. Collaborating with external cybersecurity experts, the university acquired a decryption tool and confirmed the “destruction of the information the threat actors unlawfully obtained.” The university has not disclosed whether a ransom was paid or the amount involved, nor has it specified which cancer study was affected or the number of individuals impacted.
Delayed Notification Raises Concerns
Although UH discovered the breach in August, affected individuals had not been notified by December. The university indicated that it is actively working to identify and locate those whose information may have been exposed and will reach out to them once contact information is confirmed. Those impacted will be offered credit monitoring and identity theft protection services where applicable.
This delay in reporting has sparked concerns, particularly since Hawaii law requires government agencies to inform the Legislature within 20 days of discovering a data breach. UH’s report, submitted roughly four months later, did not clarify whether law enforcement had requested a delay.
Steps Taken to Enhance Security
In response to this alarming incident, UH has fortified security at the Cancer Center by implementing 24/7 endpoint protection, reconstructing compromised systems, resetting passwords, replacing firewall infrastructure, and conducting third-party security audits.
A Growing Trend of Cyberattacks on Universities
The attack on UH is part of a troubling trend of increasing cyberattacks targeting universities across the nation. Recently, institutions such as Harvard, Princeton, the University of Pennsylvania, and Baker University have reported breaches involving ransomware, phishing, and data theft.
As UH continues its investigation, many questions linger, including the full scope of the data exposure and whether the attackers have indeed destroyed their copies of the stolen information. For now, affected research participants await clarity on whether their personal data was compromised in an incident rooted in the past.
