WANAN YOSSINGKUM/istock via Gett
University of Hawaii Cancer Center discloses ransomware attack
The University of Hawaii Cancer Center told state regulators that it paid a ransom to obtain a decryption tool and secure stolen patient data.
The University of Hawaii Cancer Center notified state regulators of a ransomware attack that occurred in August 2025. The cancer center said that the patient data stolen in the attack consisted of Social Security numbers of participants in a cancer research study that took place in the 1990s.
The university cancer center also said it engaged with threat actors, paying a ransom to obtain a decryption tool and ensure that they destroyed the stolen information.
“During the course of the investigation, it was determined that an unauthorized third party had access to and the opportunity to exfiltrate a subset of research files on the servers supporting the research operations at the Cancer Center," the notice stated.
"Due to the extensiveness of the encryption by the threat actors, it took some time for UH to restore the affected systems and be in a position to assess the impact to data."
The initial review indicated that the stolen data only pertained to a specific cancer study and contained no personal information. Further investigation determined that a set of files dating back to the 1990s contained Social Security numbers for study participants.
In the 1990s, the cancer center used Social Security numbers to identify research participants. It has since changed its method of identifying subjects.
The University of Hawaii Cancer Center has started the process of compiling the names and addresses of affected individuals, who will be notified and offered credit monitoring, where applicable. The notice did not indicate how many individuals were impacted by the breach.
Since discovering the ransomware attack, the University of Hawaii has taken steps to bolster its security, including installing endpoint protection software, resetting passwords and rebuilding its network.
The organization said it also retained third-party experts to respond to the incident, created replacement accounts for any compromised user accounts and conducted a third-party assessment to validate the cancer center's security controls.
Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.
