University of Hawaii Cancer Center Ransomware Breach and Delayed Disclosure
The University of Hawaii (UH) Cancer Center disclosed that a ransomware intrusion affecting a single cancer research project led to the encryption of systems and the theft of a limited set of research files, including some legacy documents from the 1990s containing Social Security numbers used to identify study participants. UH reported the incident occurred in late August 2025 and said clinical operations and patient care were not impacted, but recovery and investigation were delayed due to the extent of encryption damage; UH also stated it engaged external experts, isolated affected systems, and negotiated with the attackers, including paying to obtain a decryptor and seeking assurances of deletion of stolen data.
The disclosure drew scrutiny because UH reportedly notified the state legislature well after Hawaii’s 20-day breach reporting deadline, and the university has not provided key details such as the specific research project, the number of affected individuals, or concrete measures proving the stolen data was not exposed after negotiations. Separate reporting on unrelated ransomware activity included Everest claiming a breach of Nissan with an alleged 900GB data theft and Trellix research describing CrazyHunter ransomware targeting Taiwan healthcare organizations; those items do not appear connected to the UH Cancer Center incident beyond being ransomware-related.
Timeline
Jan 15, 2026
Cancer Center implements post-incident security hardening
Following the attack, UH reported remediation measures including endpoint protection deployment, password resets, system replacement, firewall replacement, 24/7 monitoring, and third-party security audits. These steps were described as part of recovery and efforts to prevent recurrence.
Jan 15, 2026
UH says affected individuals will be notified once contact details are confirmed
By mid-January 2026, the cancer center said it was preparing notification letters for impacted research participants, including some from 1990s studies. It stated that notices were delayed while current contact information was being determined and that credit monitoring and identity protection would be offered.
Jan 12, 2026
Official report to Hawaii Legislature details delayed breach disclosure
About four months after the attack, the university submitted an official report to the Hawaii Legislature in January 2026 describing the incident, the stolen data, and response actions. The timing drew concern because it appeared to exceed statutory notification expectations.
Dec 1, 2025
University discloses incident to Hawaii state officials
In December 2025, the University of Hawaii reported the ransomware incident to state officials. The disclosure included that a ransom had been paid to obtain a decryptor and seek deletion of stolen data.
Dec 1, 2025
University pays ransom and obtains decryptor
The university engaged with the threat actors, paid a ransom through third-party experts, and obtained a decryption tool to restore encrypted data. It also received assurances that the stolen data would be deleted or 'securely destroyed.'
Dec 1, 2025
Later analysis identifies legacy files with Social Security numbers
Subsequent investigation found older documents from 1990s studies containing Social Security numbers and other participant information among the stolen files. This expanded the breach's sensitivity and the population potentially affected.
Sep 1, 2025
Initial review finds research data exposure without clear personal identifiers
Early analysis indicated that most compromised files were cancer study research data and initially suggested limited exposure of directly identifying information. The impact was understood to center on one research project.
Aug 31, 2025
Attackers encrypt research files and steal study data
During the August 2025 incident, threat actors encrypted systems and exfiltrated research files from the UH Cancer Center. Clinical operations and the electronic medical record system were reported as unaffected, but restoration was significantly disrupted.
Aug 31, 2025
UH Cancer Center detects ransomware intrusion and isolates affected systems
Around 2025-08-31, the University of Hawaii Cancer Center discovered unauthorized access tied to a ransomware attack affecting a single research project. The center disconnected or isolated affected servers and began an investigation with external cybersecurity assistance.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a **ransomware-driven data breach** affecting its epidemiology division, with the potential exposure of data tied to up to **1.2 million individuals**. The university reported that attackers accessed files containing **SSNs and driver’s license numbers** sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the **Multiethnic Cohort (MEC) Study** and other diet-and-cancer studies; the incident was discovered on **August 31, 2025**, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway. Separately, a “cyber incident” caused a **five-school-day internet outage** at the Denmark School District in Wisconsin; the **INC Ransom** group claimed the victim on its leak site, alleging both **encryption** and theft of roughly **70.76 GB** of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, **Insight Hospital and Medical Center** in Chicago reported unauthorized network access between **August 22 and September 11, 2025**, and the **Termite** group later claimed to have stolen and then **leaked ~360 GB** (about 900,000 files) of “confidential data,” including medical imaging files (e.g., `.dcm`), raising the likelihood of exposure of both identity data and protected health information.
1 months ago
University of Hawaiʻi Cancer Center Ransomware Breach Exposes Data of Up to 1.2 Million People
The University of Hawaiʻi confirmed that a **ransomware attack** against the UH Cancer Center’s **Epidemiology Division** led to the theft of sensitive data affecting up to **~1.2 million individuals**. The intrusion occurred in **August 2025**, and the university began issuing notifications in late February, including letters to **87,493** participants in the *Multiethnic Cohort (MEC) Study* and additional outreach tied to roughly **900,000** discovered email addresses. UH stated the incident did **not** impact Cancer Center clinical trials operations, patient care, other Cancer Center divisions, or UH student records. Disclosed exposed data includes research and registry-related files containing **names and Social Security numbers**, and in some cases **driver’s license numbers** and **health information** associated with the MEC Study (1993–1996) and other diet/cancer studies, as well as historical datasets sourced from state transportation and voter registration records (late 1990s/2000s). Reporting also indicates the affected records include SSN identifiers from historical driver’s license and voter registration data, expanding the potential impacted population beyond the MEC cohort to approximately **1.15 million** additional individuals whose information may have been present in those datasets.
1 months ago
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
1 months ago