University of Hawaii Cancer Center pays ransom after data breach exposes SSNs
Learn More
The University of Hawaii (UH) Cancer Center reports a ransomware attack on August 31, 2025 in which attackers broke into a server hosting a single research project.
The incident did not prevent regular patient treatment, but the hackers encrypted files. The university disconnected the affected systems immediately to stop the spread of the malware.
The investigation confirmed that hackers stole a set of research files. Most of these documents did not have names attached to them bit, the school found older files from the 1990s that contained Social Security numbers. In those years, the university used these numbers to identify people in its studies. The compromised data includes:
- Social Security numbers (SSNs) from the 1990s
- Research study files
- Historical personal information
- Internal research data
The number of affected individuals is not disclosed.
UH leaders decided to pay the ransom to the criminal group. The school hired outside security teams to help with the payment and the investigation.
It's not clear whether the school got the decryption key, and it's always suspect whether criminals have deleted the stolen files even after being paid.
Update - as of 27th of February 2026, University of Hawaiʻi Cancer Center's Epidemiology Division reports the incident exposed Social Security numbers and driver's license data of up to 1.15 million individuals, primarily from historical driver's license and voter registration records used to recruit participants for the Multiethnic Cohort Study.
UH is offering affected individuals free credit monitoring and identity theft insurance, and has implemented extensive cybersecurity improvements across its campuses in response.
