HIPAA-covered entity, University of Hawaii Cancer Center announced a ransomware attack that happened in August 2025 resulting in the theft of the sensitive information of research participants. University of Hawaii Cancer Center in the Kakaʻako district of Honolulu is the designated National Cancer Institute center in the state. Based on the cancer center’s PR release and breach reports submitted to state attorneys general, it encountered unauthorized access to its computer system on or around August 31, 2025.
The cancer center isolated the breached servers, and started an investigation to find out the nature and extent of the suspicious activity. University of Hawaii Cancer Center affirmed the ransomware attack that resulted in a network breach, file encryption, and theft of research files that contain patient data. The ransomware attack did not affect the electronic medical record system; nevertheless, the attacker obtained files that included patients’ protected health information (PHI).
Most of the stolen records belong to one research project. The analysis of those records showed that some included the Social Security numbers of research participants from the 90s. The University of Hawaii Cancer Center said that Social Security numbers were considered as patient identifiers in the 1990s. That practice is no longer used today as there are other alternative identifiers.
Because of the very sensitive nature of the stolen information, University of Hawaii Cancer Center decided to work with third-party cybersecurity specialists to get a decryption tool to retrieve the encrypted information, and made a ransom payment to stop the threat actor in publishing the stolen information. UH received assurances that the attacker deleted all of the stolen data.
Files not related to the research are still under review to know whether they include any patient information. The center has not sent the notification letters to the affected persons yet. When the updated contact details are available, notification letters will be mailed. University of Hawaii Cancer Center mentioned the impacted individuals will be provided free credit monitoring and identity theft protection services.
Although the cancer center paid the ransom, because of the scope of file encryption, recovery of the encrypted files and affected systems took some time. Implementing extra security measures helped to reinforce security, which includes upgrading the firewall with extra security features and setting up endpoint protection software program with continuous monitoring. The University of Hawaii Cancer Center stated that third-party cybersecurity specialists have evaluated and confirmed the new security controls.
The University of Hawaii Cancer Center reported the incident to the regulators. Because the file evaluation is not yet done, there is no announcement of the number of affected individuals yet.
Image credits: siriwat/Gorodenkoff, Adobestock
