University of Hawaii Cancer Center reported a ransomware attack discovered in August 2025 that resulted in the theft of sensitive research data, including Social Security numbers from cancer study participants dating back to the 1990s. The university engaged with the attackers and paid a ransom, but faced scrutiny for delaying notification to affected individuals by approximately four months.
University of Hawaii Cancer Center, the only National Cancer Institute-designated center in Hawaii, disclosed that it experienced a significant data security incident in late August 2025. Located in the Kakaʻako district of Honolulu, the Cancer Center employs over 300 faculty and staff members along with approximately 200 affiliate researchers.
According to a report submitted to the Hawaii State Legislature in December 2025, the ransomware attack was discovered on or about August 31, 2025. The incident was isolated to specific servers supporting research operations at the Cancer Center and did not impact clinical operations or patient care. The university emphasized that the affected data was contained in research files and was not part of the medical records for patients treated at the Cancer Center.
The attack caused extensive damage by encrypting compromised systems, which delayed the university’s restoration efforts and investigation into the full scope of data impacted. The university acknowledged engaging with the threat actors and obtaining decryption tools, though officials have declined to disclose whether a ransom was paid or the amount involved.
What Information Was Exposed In the University of Hawaii Cancer Center Data Breach?
According to the university’s disclosure, the breach primarily affected research files from a specific cancer study. The initial review identified that a majority of files contained only research data with no personal information about research subjects. However, as the investigation progressed, the university confirmed the existence of a set of files dating back to the 1990s that contained Social Security numbers for study participants.
These Social Security numbers were used in the 1990s to identify research participants before the university began using different identification methods. The exposure of Social Security numbers, even from decades-old records, creates significant identity theft risks for affected individuals.
The total number of individuals whose data was compromised has not been publicly disclosed by the university.
How University of Hawaii Cancer Center Responded to the Breach?
Upon discovering the ransomware attack on August 31, 2025, the University of Hawaii promptly disconnected affected systems and took steps to terminate the unauthorized access and mitigate risk to data. The university engaged cybersecurity experts to investigate and determine the nature and scope of the incident.
The university retained a third-party vendor to conduct a formal electronic review of the affected files. In a controversial decision, the university engaged with the ransomware operators to obtain decryption tools and assurances that the stolen data would be destroyed, though the FBI discourages paying ransoms to hackers.
In response to the attack, the university has strengthened security at the Cancer Center by installing 24/7 endpoint protection software, rebuilding compromised systems, resetting passwords, replacing firewall infrastructure, and conducting third-party security audits.
The university has begun compiling the names and addresses of affected individuals, who will be notified and offered credit monitoring services where applicable. However, the delayed notification—approximately four months after the breach was discovered—has raised concerns about potential violations of Hawaii state law, which generally requires government agencies to notify the Legislature within 20 days of discovering a data breach.
How to Check If Your Personal Info Is Exposed
If you participated in a cancer research study at the University of Hawaii Cancer Center, particularly studies conducted in the 1990s, your personal information including your Social Security number may have been exposed in this breach. The university has indicated it will notify affected individuals as contact information is determined.
Monitoring your accounts, reviewing credit reports, and watching for any notification letters from the university are all crucial steps in assessing your potential exposure. Given that the stolen data may date back decades, some affected individuals may not immediately associate themselves with the Cancer Center’s research programs.
What You Can Do If Your Information Was Exposed
If your personal information may have been part of the University of Hawaii Cancer Center breach, it is wise to review your accounts for unfamiliar activity, update account passwords, and consider placing a fraud alert or credit freeze with major credit bureaus. Given that Social Security numbers were exposed, monitoring for signs of identity theft is particularly important.
The university has indicated it will offer credit monitoring services to affected individuals. Staying alert to unexpected calls, emails, tax documents, or financial statements can help you catch suspicious behavior early. Acting now can limit the long-term consequences of this breach and protect your financial and personal information in the future.
Understanding Your Legal Rights: Data Breach Lawyer Near Me
Victims of data breaches may be entitled to legal remedies if an organization did not adequately safeguard their personal information or failed to provide timely notification of the breach. The approximately four-month delay between the University of Hawaii Cancer Center’s discovery of the breach and notification to affected individuals raises significant legal and compliance concerns.
Almeida Law Group is actively reviewing the University of Hawaii Cancer Center incident to determine what legal options may be available for those affected.
If you participated in a research study at the University of Hawaii Cancer Center and believe your information may have been exposed, you can contact Almeida Law Group for a free consultation.
