The center disclosed that research files containing sensitive patient information were taken during an August 2025 intrusion.
The University of Hawaii Cancer Center reported that unauthorized access to its network was discovered around August 31, 2025, and investigators later confirmed that a ransomware group encrypted systems and removed research files containing protected health information. According to a press release issued by the University of Hawaii, the attackers accessed servers used for research activities, while the electronic medical record system remained unaffected. The university said it engaged with the threat actors and paid a ransom to obtain a decryption tool and to secure assurances that the stolen data was destroyed.
“During the course of the investigation, it was determined that an unauthorized third party had access to and the opportunity to exfiltrate a subset of research files on the servers supporting the research operations at the Cancer Center,” the notice stated. University officials added that “due to the extensiveness of the encryption by the threat actors, it took some time for UH to restore the affected systems and be in a position to assess the impact to data.” The stolen files included information tied to research participants, and the incident has been reported to regulators while the full scope of affected individuals continues to be assessed.
The cancer center said the intrusion primarily affected files associated with a single long-running research project. Some of the records contained Social Security numbers dating back to the 1990s, reflecting legacy research practices that have since been discontinued but remained present in archived data. Given the sensitivity of the information and the risk of disclosure, the organization engaged external cybersecurity specialists and obtained a decryption tool. Officials confirmed that a ransom was paid after receiving assurances that the stolen data would be deleted. A broader file review is still underway to determine whether additional research data was impacted.
University officials said notification letters have not yet been issued because contact details for some research participants are outdated, but affected individuals will be notified once verification is complete and will be offered credit monitoring and identity theft protection services. The university also acknowledged that system recovery took longer than expected due to the extent of file encryption. Following the incident, the cancer center implemented additional safeguards, including upgraded firewall protections and enhanced endpoint monitoring, which were reviewed and validated by external cybersecurity experts.
Recent disclosures show that universities remain frequent targets for both phishing and ransomware activity. BleepingComputer reported that multiple US institutions, including Princeton University, Harvard University, and the University of Pennsylvania, were breached in voice phishing attacks beginning in late October, exposing donor, alumni, staff, and student data through compromised development systems. Harvard and Penn were also hit again by the Clop ransomware group, which exploited an Oracle E-Business Suite zero-day vulnerability to steal sensitive personal and financial information. In a separate case, Baker University disclosed in December that attackers had accessed its network the prior year, resulting in the exposure of personal, health, and financial data belonging to more than 53,000 individuals.
Decades ago, Social Security numbers were commonly used as unique identifiers in healthcare and research before stronger privacy standards were established.
No. The organization stated that its electronic medical record system was not impacted and that the breach involved research-related servers.
Some organizations choose to engage attackers to recover encrypted data or prevent the publication of highly sensitive information, though this decision carries legal and ethical considerations.
Exposure of identifiers and clinical details can increase the risk of identity theft and misuse of personal health information, even if no immediate abuse is detected.
They can review and purge legacy identifiers, encrypt archived data, segment research networks, and conduct regular security assessments focused on older data sets.