The University of Hawaii is confronting the fallout from the 2025 UH Cancer Center cyberattack. The breach affected research systems at the University of Hawaiʻi Cancer Center and potentially exposed sensitive personal data, including Social Security numbers and driver’s license numbers, collected decades ago for epidemiological research.
According to an official report, the discovery of the data exposure occurred in December 2025. However, the cybersecurity incident itself was first identified on or about August 31, 2025. The ransomware attack was isolated to specific servers supporting research operations at the Cancer Center.
The University of Hawaii confirmed that the UH Cancer Center cyberattack did not affect clinical operations, patient care, or medical records. There was also no impact on student records or other divisions within the University of Hawaii system.
The affected data was contained strictly within research files and not connected to patient treatment records.
What Data Was Involved in the UH Cancer Center Cyberattack
During the UH Cancer Center cyberattack, an unauthorized third party encrypted and potentially exfiltrated data from certain research servers. The compromised files included:
- Two files containing names paired with Social Security numbers.
- One file included Hawaiʻi driver’s license numbers collected in 2000 from the State Department of Transportation. At that time, driver’s license numbers were typically based on Social Security numbers.
- The second file contained voter registration information collected in 1998 from the City and County of Honolulu, where identifiers also commonly included Social Security numbers.
These historical records were primarily used to recruit participants for long-term epidemiological research, particularly the Multiethnic Cohort (MEC) Study.
Impact on the Multiethnic Cohort Study
The UH Cancer Center cyberattack potentially impacted 87,493 participants in the long-running Multiethnic Cohort Study. Established in 1993, the MEC Study recruited more than 215,000 men and women between the ages of 45 and 75 from 1993 to 1996. Participants came from five primary racial and ethnic groups residing in Hawaiʻi and Los Angeles, California.
Additional affected research included three epidemiological studies focused on diet and cancer, specifically colorectal adenomas (with recruitment spanning 1995–2007) and colon cancer (1994–2005). These files contained names combined with Social Security numbers and/or driver’s license numbers. Some files also included participant questionnaires, health-related research data, and information sourced from national and state public health registries.
Two additional files containing names and Social Security numbers collected from public health registries were also compromised. One of those files stopped accepting new names in 1999, while the other closed in the mid-2000s.
Beyond the 87,493 MEC participants, approximately 1.15 million additional individuals may have had their information included in historical driver’s license and voter registration records that contained Social Security identifiers.
Investigations remain ongoing to determine whether other sensitive information was involved. The University of Hawaii has stated that any additional findings are expected to be nominal, and affected individuals will be notified separately where possible.
University Response and Law Enforcement Involvement
Following the discovery of the UH Cancer Center cyberattack, the University of Hawaii immediately disconnected the affected systems and worked to terminate unauthorized access. Third-party cybersecurity experts were retained to investigate the scope of the breach.
Due to the extensive encryption deployed by the threat actors, restoration of systems took time. During the investigation, it was determined that an unauthorized third party had accessed and had the opportunity to exfiltrate a subset of research files.
While the review was underway, the university made the decision to engage with the threat actors in an effort to protect affected individuals. Working with cybersecurity specialists, the University of Hawaii obtained a decryption tool and secured affirmation that the unlawfully obtained data was destroyed. As of now, officials report no evidence that the information has been published, shared, or misused.
Initially, most of the affected files appeared to contain research data without personal identifiers. However, a more detailed third-party electronic review confirmed the presence of files dating back to the 1990s that contained Social Security numbers used at that time to identify research participants.
After confirming the exposure, the University of Hawaii initiated notification procedures in accordance with §487N-4 of the Hawaiʻi Revised Statutes.
Notification and Support for Affected Individuals
On February 23, notification letters were mailed to 87,493 MEC Study participants. The University of Hawaii also identified approximately 900,000 email addresses and is providing notice through electronic communication, a public announcement, and a dedicated UH Cancer Center Cyberattack Information and Resource Website.
Affected individuals are being offered:
- 12 months of free credit monitoring
- $1 million in identity theft insurance
Officials have advised the public to rely only on updates posted through official University of Hawaii channels and to disregard unsolicited websites or social media messages requesting personal information.
Systemwide Security Enhancements
In response to the UH Cancer Center cyberattack, the University of Hawaii has implemented extensive cybersecurity upgrades. These measures include:
- Installing endpoint protection software with 24/7 monitoring
- Rebuilding compromised systems
- Resetting passwords and replacing affected user accounts
- Migrating sensitive research servers into the UH Information Technology Services data center
- Replacing and upgrading firewalls with enhanced security controls
- Conducting third-party security assessments
- Enforcing stricter access controls and mandatory cybersecurity training
Additionally, the University of Hawaii created a new Information Security Governance Council for Research and established an Information Security Task Force to update policies, strengthen cybersecurity roles, and recommend enterprise-level controls.
Naoto T. Ueno, director of the UH Cancer Center, stated:
“The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted. We take this matter extremely seriously and are committed to transparency, accountability, and strengthening protections for the research data entrusted to us.”
University of Hawaii President Wendy Hensel emphasized the broader response:
“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed. We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”
As investigations continue, the University of Hawaii has indicated it will supplement its legislative report once the full scope of impacted individuals is confirmed.
