University of Hawaii (UH) Cancer Center Ransomware Attack Exposes Patients’ Social Security Numbers
Published
Key Takeaways
- Ransomware Attack: The University of Hawaiʻi Cancer Center suffered a ransomware attack in August, resulting in the encryption of research files and a ransom demand.
- Delayed Notification: The university discovered the breach in August but did not report it to the state legislature or notify affected individuals until December, a delay of four months.
- Patient Data Exposed: Social Security numbers and other sensitive personal information belonging to participants in a cancer study were compromised in the attack.
The University of HawaiĘ»i (UH) Cancer Center has confirmed that it was targeted by a ransomware attack in August, resulting in unauthorized access to sensitive patient data without impacting clinical operations or patient care. Threat actors breached the center's servers, encrypted files related to a specific cancer research study.Â
Officials stated that a decision was made to "engage with the threat actors" to protect the compromised information, though details regarding any ransom payment have not been disclosed.
Delayed Reporting Raises Compliance Questions
According to a report filed with the state legislature, the attackers accessed and exfiltrated a subset of research files dating back to the 1990s that contained the Social Security numbers of the cancer study participants.
“The affected data was contained in research files and was not part of the medical records for patients treated at or in conjunction with the Cancer Center,” the filing said, which marks the discovery of the data exposure as December 2025.
A critical aspect of the University of Hawaii data breach is the four-month delay between the August discovery of the intrusion and the official notification to the legislature and affected individuals. State law generally requires government agencies to report security breaches within 20 days, and the university has not clarified whether a law enforcement request prompted the delay.
“Due to the extensiveness of the encryption by the threat actors, it took some time for UH to restore the affected systems and be in a position to assess the impact to data,” the report added.
Cybersecurity Implications for Patient Data
The ransomware attack on cancer center servers exposed a trove of highly sensitive information, including the Social Security numbers of study participants. “UH is also simultaneously continuing an electronic review of the remaining files for any additional sensitive information,” the filing added.
In response, UH has reset passwords, deployed enhanced monitoring software, and initiated a third-party security assessment. The university plans to offer credit monitoring and identity theft protection services to those whose patient data was exposed.Â
Cyberattacks on healthcare and research institutions have long-lasting consequences, as compromises can have profound impacts on both individual privacy and scientific progress. A January report said that healthcare breaches still matter years later.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular