Ransomware Healthcare / Academic Research · United States · March 2026

University of Hawai'i Cancer Center

Analysis of the University of Hawai'i Cancer Center ransomware attack affecting up to 1.24 million individuals. Legacy research data from the 1990s exposed including SSNs.

Records Affected

Up to approximately 1.24 million individuals

Attack Type

Ransomware

Location

United States

Data types exposed

Social Security numbers driver's licence numbers health questionnaires

What Happened

The University of Hawai'i (UH) Cancer Center disclosed in late February 2026 that it had been the victim of a ransomware attack targeting servers within its Epidemiology Division. According to the university's official statement, the attack was detected on or about August 31, 2025.
The attackers encrypted research data and, according to UH, provided evidence that they had potentially exfiltrated a portion of that data. The university stated that it engaged cybersecurity experts who obtained a decryption tool and secured what it described as "an affirmation that any information obtained was destroyed." UH has not publicly confirmed whether a ransom payment was made, though reporting by Honolulu Civil Beat and the Associated Press noted that the university "engaged with the hackers" and that the FBI generally discourages ransom payments.
The compromised data reportedly includes Social Security numbers and driver's licence numbers drawn largely from Hawaii Department of Transportation records collected around 2000 and City and County of Honolulu voter registration records from 1998. These records were originally used to recruit participants for the Multiethnic Cohort Study, a long-running cancer research project established in 1993. Some research health questionnaires were also among the exposed files.
According to the university's notice and reporting by The Record, approximately 1.15 million to 1.24 million individuals may be affected. Notification letters were sent to initial groups of identified participants starting February 23, 2026, with broader notification via email and public announcement following on February 28.
UH stated that the breach did not affect the Cancer Center's clinical trials operations, patient care, or student records. The university is offering affected individuals 12 months of free credit monitoring and identity theft insurance.
This is not the first ransomware incident involving the University of Hawai'i system. In 2023, Hawai'i Community College dealt with a separate ransomware attack attributed to the NoEscape group, which affected approximately 28,000 individuals.

Timeline

  • August 31, 2025 — Ransomware attack detected targeting Epidemiology Division servers
  • September-December 2025 — Forensic investigation conducted; UH engages with threat actor and obtains decryption tool
  • February 23, 2026 — Initial notification letters sent to identified affected participants
  • February 28, 2026 — Public disclosure via university news release and broader notification

Impact and Risk Assessment

For Individuals

Up to 1.24 million individuals, primarily participants in the Multiethnic Cohort Study, had SSNs and driver's licence numbers exposed.
Much of the exposed data dates to the 1990s and early 2000s, when SSNs were routinely used as research identifiers. Many affected individuals may not have been aware their data was still held by the university.
Health questionnaire data from cancer research participants was also among the exposed files.

For Organisations

The University of Hawai'i system faces reputational damage and potential regulatory scrutiny, particularly given this is the second ransomware incident in three years.
Research institutions nationally may face increased scrutiny of how they manage legacy research datasets.

Regulatory Context

Hawaii state law generally requires government agencies to report breaches to the legislature within 20 days, though exceptions exist when law enforcement advises delay.
The six-month gap between detection and public notification may draw regulatory scrutiny regarding timely disclosure obligations.

What Should You Do?

For Individuals

  • If you participated in cancer research studies at the University of Hawai'i, particularly the Multiethnic Cohort Study, monitor your credit reports for signs of identity misuse.
  • Take advantage of the 12 months of free credit monitoring and identity theft insurance being offered.
  • Consider placing a fraud alert or credit freeze, particularly given that SSNs were among the exposed data.

For Security Professionals

  • Inventory historical research data in your organisation. Assess what identifiers are stored, whether they are still needed, and apply appropriate controls including encryption at rest and network segmentation.
  • If data from decades ago is still sitting on a server accessible from the network, it needs to be either securely archived offline or properly protected.
  • The broader lesson is that ransomware groups are increasingly targeting organisations outside the traditional corporate perimeter: universities, research centres, and healthcare systems that may lack the security budgets of large enterprises but hold data that is just as valuable to attackers.

Learnings and Recommendations

Research institutions often hold datasets that span decades, collected in eras when SSNs were routinely used as identifiers. These "legacy data vaults" represent a unique risk: the data is highly sensitive, rarely accessed, and frequently overlooked in security planning.
The six-month gap between detection (August 2025) and public notification (February 2026) also raises questions about timely disclosure, a growing area of regulatory focus in the United States. Hawaii state law generally requires government agencies to report breaches to the legislature within 20 days, though exceptions exist when law enforcement advises delay.
For academic and research institutions, this incident is a call to inventory historical research data, assess what identifiers are stored and whether they are still needed, and apply appropriate controls including encryption at rest, network segmentation, and endpoint detection. If data from the 1990s is still sitting on a server accessible from the network, it needs to be either securely archived offline or properly protected.
The broader takeaway is that ransomware groups are increasingly targeting organisations outside the traditional corporate perimeter: universities, research centres, and healthcare systems that may lack the security budgets and staffing of large enterprises but hold data that is just as valuable to attackers.

References

[1] University of Hawai'i System News - Notice of UH Cancer Center cyberattack — https://www.hawaii.edu/news/2026/02/27/notice-of-cyberattack-uh-cancer-center/
[2] The Record (Recorded Future) - University of Hawaii Cancer Center confirms data leak — https://therecord.media/university-of-hawaii-ransomware-data-breach
[3] Hackread - Ransomware Breach at University of Hawaii Cancer Center — https://hackread.com/ransomware-breach-university-of-hawaii-cancer-center/
[4] Honolulu Civil Beat - UH Engaged With Hackers Who Highjacked Cancer Study Data — https://www.civilbeat.org/2026/01/uh-engaged-with-hackers-who-highjacked-cancer-study-data/
[5] Security Magazine - 1M Impacted by University of Hawaii Cancer Center Breach — https://www.securitymagazine.com/articles/102155-1m-impacted-by-university-of-hawaii-cancer-center-breach

Source

https://www.hawaii.edu/news/2026/02/27/notice-of-cyberattack-uh-cancer-center/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories