University of Hawai'i Cancer Center
Analysis of the University of Hawai'i Cancer Center ransomware attack affecting up to 1.24 million individuals. Legacy research data from the 1990s exposed including SSNs.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
University of Hawai'i Cancer Center
Research institution within the University of Hawai'i system, conducting cancer research including the long-running Multiethnic Cohort Study established in 1993.
Sector
Healthcare / Academic Research
Region
United States
Date of Incident
August 31, 2025 (detected)
Date Disclosed
February 28, 2026
Estimated Impact
Up to approximately 1.24 million individuals
Data Types Exposed
Social Security numbers, driver's licence numbers, health questionnaires
Attack Type
Ransomware
Attack Vector
Ransomware targeting servers in Epidemiology Division
Threat Actor
Not publicly named
Current Status
Notifications sent. 12 months free credit monitoring offered. UH engaged with hackers and obtained decryption tool.
Severity Assessment
Critical. Up to 1.24 million individuals affected by exposure of legacy research data spanning decades, including SSNs used as identifiers in the 1990s.
What Happened
The University of Hawai'i (UH) Cancer Center disclosed in late February 2026 that it had been the victim of a ransomware attack targeting servers within its Epidemiology Division. According to the university's official statement, the attack was detected on or about August 31, 2025.
The attackers encrypted research data and, according to UH, provided evidence that they had potentially exfiltrated a portion of that data. The university stated that it engaged cybersecurity experts who obtained a decryption tool and secured what it described as "an affirmation that any information obtained was destroyed." UH has not publicly confirmed whether a ransom payment was made, though reporting by Honolulu Civil Beat and the Associated Press noted that the university "engaged with the hackers" and that the FBI generally discourages ransom payments.
The compromised data reportedly includes Social Security numbers and driver's licence numbers drawn largely from Hawaii Department of Transportation records collected around 2000 and City and County of Honolulu voter registration records from 1998. These records were originally used to recruit participants for the Multiethnic Cohort Study, a long-running cancer research project established in 1993. Some research health questionnaires were also among the exposed files.
According to the university's notice and reporting by The Record, approximately 1.15 million to 1.24 million individuals may be affected. Notification letters were sent to initial groups of identified participants starting February 23, 2026, with broader notification via email and public announcement following on February 28.
UH stated that the breach did not affect the Cancer Center's clinical trials operations, patient care, or student records. The university is offering affected individuals 12 months of free credit monitoring and identity theft insurance.
This is not the first ransomware incident involving the University of Hawai'i system. In 2023, Hawai'i Community College dealt with a separate ransomware attack attributed to the NoEscape group, which affected approximately 28,000 individuals.
Timeline
August 31, 2025
Ransomware attack detected targeting Epidemiology Division servers
September-December 2025
Forensic investigation conducted; UH engages with threat actor and obtains decryption tool
February 23, 2026
Initial notification letters sent to identified affected participants
February 28, 2026
Public disclosure via university news release and broader notification
Impact and Risk Assessment
For Affected Individuals
Up to 1.24 million individuals, primarily participants in the Multiethnic Cohort Study, had SSNs and driver's licence numbers exposed.
Much of the exposed data dates to the 1990s and early 2000s, when SSNs were routinely used as research identifiers. Many affected individuals may not have been aware their data was still held by the university.
Health questionnaire data from cancer research participants was also among the exposed files.
For Organisations
The University of Hawai'i system faces reputational damage and potential regulatory scrutiny, particularly given this is the second ransomware incident in three years.
Research institutions nationally may face increased scrutiny of how they manage legacy research datasets.
Regulatory Context
Hawaii state law generally requires government agencies to report breaches to the legislature within 20 days, though exceptions exist when law enforcement advises delay.
The six-month gap between detection and public notification may draw regulatory scrutiny regarding timely disclosure obligations.
What Should You Do?
If You Are a Potentially Affected Individual
If you participated in cancer research studies at the University of Hawai'i, particularly the Multiethnic Cohort Study, monitor your credit reports for signs of identity misuse.
Take advantage of the 12 months of free credit monitoring and identity theft insurance being offered.
Consider placing a fraud alert or credit freeze, particularly given that SSNs were among the exposed data.
If You Are a Security or Risk Professional
Inventory historical research data in your organisation. Assess what identifiers are stored, whether they are still needed, and apply appropriate controls including encryption at rest and network segmentation.
If data from decades ago is still sitting on a server accessible from the network, it needs to be either securely archived offline or properly protected.
The broader lesson is that ransomware groups are increasingly targeting organisations outside the traditional corporate perimeter: universities, research centres, and healthcare systems that may lack the security budgets of large enterprises but hold data that is just as valuable to attackers.
Learnings and Recommendations
Research institutions often hold datasets that span decades, collected in eras when SSNs were routinely used as identifiers. These "legacy data vaults" represent a unique risk: the data is highly sensitive, rarely accessed, and frequently overlooked in security planning.
The six-month gap between detection (August 2025) and public notification (February 2026) also raises questions about timely disclosure, a growing area of regulatory focus in the United States. Hawaii state law generally requires government agencies to report breaches to the legislature within 20 days, though exceptions exist when law enforcement advises delay.
For academic and research institutions, this incident is a call to inventory historical research data, assess what identifiers are stored and whether they are still needed, and apply appropriate controls including encryption at rest, network segmentation, and endpoint detection. If data from the 1990s is still sitting on a server accessible from the network, it needs to be either securely archived offline or properly protected.
The broader takeaway is that ransomware groups are increasingly targeting organisations outside the traditional corporate perimeter: universities, research centres, and healthcare systems that may lack the security budgets and staffing of large enterprises but hold data that is just as valuable to attackers.
Sources
- University of Hawai'i System News - Notice of UH Cancer Center cyberattack
- The Record (Recorded Future) - University of Hawaii Cancer Center confirms data leak
- Hackread - Ransomware Breach at University of Hawaii Cancer Center
- Honolulu Civil Beat - UH Engaged With Hackers Who Highjacked Cancer Study Data
- Security Magazine - 1M Impacted by University of Hawaii Cancer Center Breach
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.