The University of Hawaiʻi Cancer Center’s Epidemiology Division confirmed that a ransomware attack discovered in August 2025 has potentially exposed personal information for nearly 1.2 million people, according to official notices from the institution and reporting on the breach. The cyberattack targeted servers containing epidemiology research data, leading to the encryption and likely exfiltration of data files that included Social Security numbers, driver’s license information, and voter registration records. Investigators said the incident did not affect clinical operations, patient care systems, or University of Hawaiʻi student records.
The breach first came to light on August 31, 2025, when the university’s IT staff detected unauthorized activity on research servers used by the Cancer Center’s Epidemiology Division. The division supports long-running studies of cancer risk and disease patterns, including the Multiethnic Cohort (MEC) Study established in 1993. The MEC Study recruited participants from Hawaiʻi and Los Angeles to examine cancer risks across diverse populations, and historical data linked to it was among the records accessed during the attack.
Preliminary assessment by the university found that files related to the MEC Study contained names and Social Security numbers for participants. The breach also involved historical driver’s license records collected in 2000 by the Hawaiʻi State Department of Transportation and Honolulu voter registration data from 1998, both of which used Social Security numbers as identifiers at the time of collection. The combination of these sources expanded the number of potentially impacted individuals beyond MEC Study participants.
In a February notice, officials said letters offering credit monitoring and identity protection services were mailed to about 87,493 individuals who participated in the MEC Study and whose contact information was confirmed. The university also said it had located contact details for roughly 900,000 other people whose information could have been included in the compromised historical records. Notice of the breach continues via email and a dedicated information website for those potentially affected.
The attackers encrypted the compromised systems, which delayed restoration efforts and made it difficult to immediately assess the full scope of the breach. The university engaged third-party cybersecurity experts and reported the incident to law enforcement as part of its response. At the time of the attack, officials obtained a decryption tool and said they secured assurances that any stolen information would be destroyed, though they have not provided details on the identity of the threat actors.
University leadership said the attack was isolated to the Epidemiology Division’s systems and did not affect clinical trials, patient care, or other divisions of the Cancer Center. The university’s president announced plans for a comprehensive review of information technology systems across all campuses to identify and strengthen security controls in research and administrative environments.
The breach’s impact relates primarily to historical research data that contained sensitive personal identifiers. Investigations into whether other types of information were accessed or exfiltrated are continuing, with the university saying it will notify individuals separately if additional compromised data is identified.
In response to the incident, the university has implemented measures including network hardening, expanded endpoint protection with continuous monitoring, migration of sensitive research servers to managed data centers, stricter access controls for sensitive data, and enhanced cybersecurity training for staff. Independent third parties are also engaged to assess and validate the security controls for the Cancer Center.
University officials have encouraged those potentially affected to use the credit monitoring and identity protection services offered and to stay informed through official university communication channels and the dedicated resource website for the cyberattack.