A ransomware attack on the University of Hawaii Cancer Center has exposed data connected to around 1.2 million individuals, according to an official notice released by the institution.
The cyberattack was first detected on August 31, 2025, after suspicious activity was discovered within systems used by the cancer center’s epidemiology research division. Investigators later confirmed that attackers had gained unauthorized access to certain internal systems, encrypted files using ransomware, and also copied data from the network.
The compromised information mainly came from historical research datasets used in long-running cancer studies. Some of the affected records include Social Security numbers, driver’s license information, and voter registration records that were originally collected years ago to help recruit participants for research programs.
Many of these records date back more than three decades, highlighting the risks associated with storing large volumes of legacy data on research systems.
The information was linked to the Multiethnic Cohort Study, a major research project launched in 1993 to study cancer incidence patterns among different ethnic and racial groups. The study began with about 215,000 participants, but additional recruitment records expanded the amount of stored data over time.
Officials confirmed that the cyberattack involved both ransomware encryption and data exfiltration. The organization eventually paid an undisclosed ransom in exchange for a decryption key and assurances from the attackers that the stolen data would be destroyed.
The cancer center clarified that the incident did not impact patient treatment systems, clinical trial operations, or university student records, and was limited to certain research datasets.
Following the attack, the institution reported that it has strengthened its cybersecurity measures, including improvements to network security, enhanced monitoring systems, stricter access controls for sensitive data, and additional cybersecurity training for staff.
The incident highlights the growing cybersecurity risks facing healthcare and academic research institutions, particularly those storing large amounts of historical data that may not have been originally designed with modern security protections.