The University of Hawai’i (“UH”) has disclosed that its Cancer Center was targeted in a ransomware attack, resulting in the exposure of sensitive research data, including Social Security numbers from some study participants dating back to the 1990s.
According to a report filed with the state Legislature in December 2025, UH said the breach was limited to specific servers supporting research operations at the Cancer Center in Honolulu’s Kakaako district. The university emphasized that the incident did not impact clinical operations, patient care, or medical treatment records.
Breach Limited To Research Systems
UH officials stated that the attack was discovered around August 31, 2025, and was quickly contained. The affected systems were immediately disconnected, and steps were taken to terminate the unauthorized access and mitigate the risk to data. Cybersecurity experts were brought in to investigate and determine the nature and scope of the incident.
Initial reviews suggested that most of the affected files were linked to a single cancer research study and contained only research data without personal identifiers. However, a more detailed electronic review later uncovered older files from the 1990s containing Social Security numbers, which were used at that time to identify research participants before alternative identification methods were adopted.
Ransom Paid To Regain Access And Destroy Data
UH acknowledged that it made the difficult decision to engage with the attackers to protect individuals whose sensitive information may have been affected. Working alongside external cybersecurity experts, the university obtained a decryption tool and says it secured the “destruction of the information the threat actors illegally obtained.”
The UH has not disclosed whether a ransom was paid or how much, nor did it specify which cancer study was affected or how many people were impacted.
Delayed Notification Raises Concerns
Despite discovering the breach in August, UH had not notified affected individuals as of December. The university said it is still working to identify and locate those whose information may have been exposed and will notify them once contact details are confirmed. Impacted individuals will be offered credit monitoring and identity theft protection services where applicable.
The delayed reporting has raised concerns, as Hawaii law generally requires government agencies to notify the Legislature within 20 days of discovering a data breach. UH’s report, filed roughly four months later, did not indicate did not state whether law enforcement requested a delay.
Steps Taken To Improve Security
In response to the attack, UH said it has strengthened security at the Cancer Center by installing 24/7 endpoint protection, rebuilding compromised systems, resetting passwords, replacing firewall infrastructure, and conducting third-party security audits.
A Growing Trend Of Attacks On Universities
The UH incident follows a growing number of cyberattacks on universities nationwide. In recent months, institutions including Harvard, Princeton, the University of Pennsylvania, and Baker University have reported breaches involving ransomware, phishing, and data theft.
As UH continues its investigation, many questions remain unanswered — including the full scope of the data exposure and whether the attackers truly destroyed their copies of the stolen information. For now, affected research participants are still waiting for answers about whether their personal data was compromised in an attack rooted decades in the past.
