1.2 million affected in UH Cancer Center ransomware data breach

A ransomware attack at the University of Hawaii Cancer Center has exposed the personal information of approximately 1.2 million individuals.

What happened

According to Security Week, the University of Hawaii Cancer Center disclosed a ransomware attack that exposed the personal data of approximately 1.2 million individuals. The breach stemmed from a cyberattack on August 31, 2025, when hackers infiltrated servers supporting the center’s research operations and exfiltrated sensitive information. As a result of the breach, the attackers stole a range of personal data, including names, Social Security numbers, driver’s license information, voter registration details, and health-related information.

Although the attackers compromised research systems, the university stated that clinical operations and patient care systems were not affected.

Going deeper

According to BankInfo Security, the breach primarily impacted servers used by the Cancer Center’s epidemiology division, which manages long-running research studies involving large patient datasets. Investigators discovered that the attackers accessed files associated with cancer research participants, compromising records from a multiethnic health study spanning decades. Among the exposed files were details on 87,493 participants, some of which contained personal identifiers and health information related to the research.

The incident may also affect a much broader group of 1.15 million individuals whose information was stored in historical datasets used for research recruitment and analysis. These records include personal identifiers gathered from external sources such as voter registration and driver’s license data, which were historically used to identify potential research participants. In some cases, these records included sensitive identifiers such as Social Security numbers, reflecting older data-collection practices.

What was said

According to a news release by the university, “an unauthorized third party encrypted and potentially exfiltrated data containing personal information. The university notified law enforcement and worked with third-party cybersecurity experts to obtain a decryption tool, and secure an affirmation that any information obtained was destroyed.” The university reassured the public, noting that “There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact to UH student records.”

Notification letters were sent out to the “87,493 MEC Study participants.” However, while the investigation is still ongoing, the university says that it “is confident that any other personal information (SSNs or drivers’ license numbers in combination with names) found will be nominal and, where possible, those individuals will receive separate notice.”

In the know

According to Paubox’s The Healthcare Email Security Report, “Since 2018, ransomware attacks on healthcare organizations have surged by 264%, according to the OCR.” This increase indicates that healthcare institutions have become the main targets for cybercriminals.

Cybercriminals may be targeting the healthcare sector due to the value of health information on the black market. As the Center of Information Security explains, “The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and PII sell for $1-$2 on the black market, but PHI can sell for as much as $363 according to the Infosec Institute. This is because one’s personal health history, including ailments, illnesses, surgeries, etc., can’t be changed, unlike credit card information or Social Security Numbers.”

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is a ransomware attack?

A ransomware attack occurs when cybercriminals gain access to an organization’s systems, encrypt files, and demand payment to restore access.

Does paying a ransom guarantee that stolen data is safe?

No. While some attackers promise to delete data or provide decryption keys, paying a ransom does not guarantee full protection or prevent future misuse.

How can healthcare organizations prevent breaches?

Organizations can implement strong cybersecurity policies, encrypt data, train staff on cyber-hygiene, regularly update software, and monitor systems for suspicious activity.