The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Hoplon InfoSec Logo

University of Hawaiʻi Cancer Center Data Breach Cyberattack

University of Hawaiʻi Cancer Center Data Breach Cyberattack

Hoplon InfoSec

07 Mar, 2026

Recently, the University of Hawaiʻi Cancer Center said that its Epidemiology Division was the target of a serious cyberattack. People were worried about the incident because some of the files that were affected may have had private information like Social Security numbers and driver's license numbers.

The university's official statements say that the cyberattack gave hackers access to research servers used for epidemiology studies without permission. The hacker encrypted some files and may have also copied some datasets during the attack.

The university thinks that information about more than a million people could be involved, even though the investigation is still going on. The situation brings up an important point about cybersecurity today. Cybercriminals may even go after historical research databases that were made decades ago.

This article talks about what happened, what information may have been made public, how many people may be affected, and what the university is doing to make things safer.

The Cyberattack

The cyberattack happened on servers that help with research on diseases at the University of Hawaiʻi Cancer Center.

The university's official statement says that an unauthorized third party got into some systems and encrypted some of the data that was stored there. Encryption of files is often linked to ransomware attacks, but the university has not publicly confirmed the type of attack that happened.

Some files may have also been stolen, according to investigators. Data exfiltration means that information may have been copied and sent outside of the company.

When the university saw something suspicious, it took a number of quick steps:

• Officials in charge of law enforcement were told
• Cybersecurity experts from outside the company were brought in.
• Investigated and secured systems
• We got a decryption tool to get back into encrypted data.

Officials said that, so far, they haven't found any proof that the stolen data has been made public or used in a bad way. But the investigations are still going on.

Cyberattack on research servers workflow

 Old Data Targeted

The age of the data is one of the strangest things about this event.

A lot of the data on the affected servers came from research recruitment efforts that took place decades ago.

Two important datasets were used:

2000 Driver's License Records

Around the year 2000, the Hawaiʻi State Department of Transportation gave us a file with names and driver's license numbers.

At that time, many driver's license numbers in Hawaiʻi were based on Social Security numbers. This practice may have led to the dataset having identifiers that are linked to SSNs.

1998 Voter Records

Another file had voter registration records from the City and County of Honolulu that were collected in 1998.

Voter registration records often had Social Security numbers as identifiers during that time.

These records were initially collected for the purpose of research recruitment, not for governmental administration.

Multiethnic Cohort Study

A significant portion of the potentially exposed information pertains to the Multiethnic Cohort Study.

This study started in 1993 and is thought to be one of the most important long term epidemiological studies in the US.

Important things to know about the study:

• Over 215,000 people took part.
• The people who took part were between 45 and 75 years old.
• People were hired between 1993 and 1996.
• People came from Los Angeles and Hawaiʻi to take part.
• The study looks at diet, lifestyle, and the risk of getting cancer.

The study's objective has been to elucidate the impact of lifestyle factors on cancer development across various ethnic and racial groups.

The study has a lot of information about people and their health history because it follows them for a long time.

People Affected

According to the university's current analysis, two groups of people may be affected.

Study Participants

About 87,493 people who took part in the study may have had their information included in the affected research files.

Recruitment Data

Along with study participants, historical records of driver's licenses and voter registrations may contain information about 1.15 million people.

People mostly used these records to find people who might be interested in research projects.

The university thinks that these historical records show that a lot more people outside of the main study group are affected.

Possible Data Exposure

The files on the affected servers could have a lot of personal and research information in them.

Some of the information that could be exposed is:

• Names in full
• Numbers for Social Security
• Numbers on driver's licenses
• Information about registering to vote
• Questionnaires for research
• Data on health related research
• Data from public health registries at the state and national levels

Not everyone has the same amount of exposure. The university said that investigations are still going on to find out which datasets were accessed

Cyberattack breakdown on research servers

Systems Not Affected

The university stressed that the cyberattack did not affect a number of important systems.

The official announcement said that the following areas were not affected:

• Running clinical trials
• Systems for taking care of patients
• Other parts of the cancer center
• Records of students at the University of Hawaiʻi

This means that the event only affected some research servers used for epidemiology studies.

Director Statement

Dr. Naoto T. Ueno, the head of the University of Hawaiʻi Cancer Center, talked about the situation in a public statement.

He said he was sorry that the event happened and recognized how it affected those who were involved. He also stressed the school's dedication to being open and protecting data better.

The statement says that the cancer center takes the safety of research data very seriously and is working to make it even safer.

Support for Affected People

The university has started to let people who may have been affected know.

Notifications

On February 23, 87,493 people who took part in the study got letters in the mail.

About 900,000 email addresses were found for more notifications.

The university also made a public announcement and set up an online information portal for updates.

Identity Protection

People who are affected are being offered the following services:

• 12 months of free credit monitoring
• Coverage for identity theft protection of up to $1 million

The university also set up special call centers where people can check to see if their information may have been involved.

Security Improvements

After the cyberattack, the University of Hawaiʻi Cancer Center started to make a number of improvements to its cybersecurity.

These are:

• Redesigning and making the network infrastructure stronger
• Putting in place modern endpoint protection systems
• Setting up 24 hour monitoring all the time
• Updating the hardware used for research servers
• Putting sensitive research systems in a university data center that is safer
• Making access control rules stronger
• Increasing the amount of cybersecurity training for employees

The goal of these changes is to lower the chance of similar events happening again.

Systemwide Security Review

The response has spread beyond the cancer center.

Wendy Hensel said that the university will do a full review of all ten campuses' information technology systems.

A number of new projects have already begun.

Some of these are:

• Setting up a council for information security governance for research programs
• Setting up a task force for information security
• A look at the rules and responsibilities for cybersecurity
• Review of investments in security for the future

The goal is to make sure that sensitive data is better protected across the whole university system.

Why Research Institutions Are Targeted

Cybersecurity experts often say that research institutions have important information that attackers want.

Medical and research databases often have:

• identifiers for people
• information about health
• records of long term participants
• data sets for demographics

These sources of information could be useful for identity theft or other bad things.

Another problem is that many research projects keep historical datasets that were made before modern cybersecurity practices were in place. If systems aren't updated, this can make things riskier.

Key Lessons

The cyberattack on the University of Hawaiʻi Cancer Center teaches organizations that deal with sensitive data a lot of important things.

First, historical datasets can still be at risk decades later.

Second, research institutions need to check and update their security systems on a regular basis.

Third, research systems need strict access control and monitoring to stay safe.

Lastly, if something bad happens, businesses need to be ready to act quickly and openly.

Conclusion

The cyberattack on the University of Hawaiʻi Cancer Center shows how research institutions are becoming more vulnerable to cyberattacks.

The attack used historical research databases, but the fact that it could have affected more than a million people shows how valuable these datasets can be to hackers.

The investigation is still going on, and officials say there is no proof that the data has been made public or used in the wrong way. However, this event serves as a reminder that good cybersecurity is necessary to keep sensitive data safe in both new and old systems.

As universities and research centers keep handling a lot of personal and health related data, making their cybersecurity stronger will always be a top priority.

  •    For more latest updates like this, visit our homepage.


 

Share this :

Latest News