University of Hawaii Confirms Ransomware Attack Exposing Data of 1.2 Million Individuals
In August 2025, the University of Hawaii (UH) Cancer Center’s Epidemiology Division suffered a ransomware breach, resulting in the theft of sensitive data belonging to nearly 1.2 million individuals. The attack, confirmed by the university, targeted research files containing personal information, including Social Security numbers (SSNs), driver’s license numbers, and health data from historical studies.
The breach primarily affected participants of the Multiethnic Cohort (MEC) Study (1993–1996), with 87,493 individuals notified in February 2025. An additional 1.15 million people whose data was found in archived driver’s license and voter registration records were also impacted. The compromised files included SSNs from state transportation documents (2000) and voter data (1998), as well as health records from cancer and diet studies conducted between the 1990s and mid-2000s.
The attack was isolated to the Epidemiology Division, with no disruption to clinical trials, patient care, or UH student records. However, the ransomware encrypted critical systems, delaying recovery efforts. In response, UH paid the attackers for a decryption tool and assurances of data destruction to mitigate further exposure.
A December 2024 report to the state legislature confirmed the breach’s limited scope but acknowledged the extensive damage to research infrastructure. UH Cancer Center Director Naoto T. Ueno expressed regret over the incident, emphasizing the institution’s commitment to transparency and enhanced data protections.
This incident follows a 2023 ransomware attack on Hawaiʻi Community College, another UH affiliate, where the university paid a ransom to prevent the leak of data from 28,000 individuals. The repeated breaches highlight ongoing cybersecurity challenges within the UH system.
University of Hawai‘i at Mānoa Outreach College cybersecurity rating report: https://www.rankiteo.com/company/outreachcollegeuniversityofhawaiiatmanoa
"id": "OUT1772533626",
"linkid": "outreachcollegeuniversityofhawaiiatmanoa",
"type": "Ransomware",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,200,000 individuals',
'industry': 'Healthcare/Research',
'location': 'Hawaii, USA',
'name': 'University of Hawaii Cancer Center - '
'Epidemiology Division',
'type': 'Educational/Research Institution'}],
'customer_advisories': 'Notifications sent to 87,493 MEC Study participants '
'(February 2025) and 1.15 million additional '
'individuals',
'data_breach': {'data_encryption': 'Yes (ransomware encrypted systems)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '1,200,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII and health records)',
'type_of_data_compromised': ['Social Security numbers',
'Driver’s license numbers',
'Health data',
'Voter registration data']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-02',
'description': 'In August 2025, the University of Hawaii (UH) Cancer Center’s '
'Epidemiology Division suffered a ransomware breach, resulting '
'in the theft of sensitive data belonging to nearly 1.2 '
'million individuals. The attack targeted research files '
'containing personal information, including Social Security '
'numbers (SSNs), driver’s license numbers, and health data '
'from historical studies. The breach primarily affected '
'participants of the Multiethnic Cohort (MEC) Study '
'(1993–1996), with additional impacts on archived driver’s '
'license and voter registration records.',
'impact': {'brand_reputation_impact': 'Extensive damage to research '
'infrastructure and institutional '
'reputation',
'data_compromised': 'Sensitive personal information, including '
'SSNs, driver’s license numbers, and health '
'data',
'downtime': 'Delayed recovery efforts due to encrypted systems',
'identity_theft_risk': 'High (SSNs and personal data exposed)',
'operational_impact': 'Disruption to research infrastructure; no '
'impact on clinical trials, patient care, or '
'student records',
'systems_affected': 'Epidemiology Division research systems'},
'investigation_status': 'Confirmed',
'lessons_learned': 'Ongoing cybersecurity challenges within the UH system; '
'need for enhanced data protections',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced data protections '
'and transparency measures',
'root_causes': 'Cybersecurity vulnerabilities in '
'research infrastructure'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_paid': 'Yes'},
'recommendations': 'Improve cybersecurity measures to prevent repeated '
'breaches',
'references': [{'source': 'University of Hawaii Statement'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to state '
'legislature (December '
'2024)'},
'response': {'communication_strategy': 'Transparency with affected '
'individuals and state legislature',
'containment_measures': 'Isolation of affected systems',
'remediation_measures': 'Paid ransom for decryption tool and '
'assurances of data destruction'},
'stakeholder_advisories': 'State legislature notified; affected individuals '
'informed',
'title': 'University of Hawaii Ransomware Attack Exposing Data of 1.2 Million '
'Individuals',
'type': 'Ransomware'}