Cyberattack on University of Hawaii Cancer Center Exposes Decades of Research Data Tied to 1.2 Million People

Key Takeaways

• Cyberattack Exposed Data Tied To About 1.2 Million People: The breach affected research systems at the University of Hawaii Cancer Center’s Epidemiology Division.
• Incident Discovered In August 2025: Attackers encrypted research servers and claimed to have exfiltrated a portion of the data.
• Historical Research And Public Records Involved: Compromised files included Social Security numbers, names, driver’s license records, voter registration data, and epidemiological study data dating back to the 1990s.
• Multiethnic Cohort Study Participants Impacted: Records belonging to 87,493 participants in the long-running cancer research study were exposed.
• Clinical Operations Were Not Affected: The university confirmed patient care systems, clinical trials operations, and student records were not involved.

Deep Dive

A cyberattack on research systems at the University of Hawaii Cancer Center has exposed personal data connected to roughly 1.2 million individuals, according to incident disclosures released by the university in late February.

The breach traces back to August 31, 2025, when the cancer center discovered that an unauthorized third party had infiltrated servers used by its Epidemiology Division. The attackers encrypted large volumes of research data and claimed to have taken a portion of it, triggering a months-long investigation to determine what information was involved.

University officials say the incident was contained to systems supporting epidemiology research, recruitment efforts, and research data storage. Clinical trials operations, patient care systems, other divisions within the cancer center, and student records were not affected.

The university publicly announced the breach on February 27, 2026, after investigators were able to reconstruct and review the encrypted data.

A Breach Rooted in Decades-Old Research Records

What makes the incident unusual is not just the scale but the age of the data involved. Many of the compromised files were tied to long-running epidemiological research projects conducted in Hawaii and California during the 1990s and early 2000s. Among them was the Multiethnic Cohort Study, a major public health project launched in 1993 to explore links between diet, lifestyle, and cancer risk across diverse populations.

More than 215,000 people were recruited for the study between 1993 and 1996. The university said records belonging to 87,493 participants in that cohort were among the files exposed during the cyberattack. Those records included names and Social Security numbers and, in some cases, research-related health information collected for epidemiological analysis.

Additional research datasets tied to studies on colorectal adenomas and colon cancer conducted between the mid-1990s and mid-2000s were also affected.

Government Records Also Part of the Dataset

The breach also involved older public records that researchers had historically used to identify potential study participants.

According to the university, two of the compromised files contained names paired with Social Security numbers drawn from government records. One dataset came from driver’s license information obtained from the Hawaii Department of Transportation in 2000, while another consisted of voter registration records collected from the City and County of Honolulu in 1998.

At the time those records were compiled, driver’s license numbers and voter registration data in Hawaii often incorporated Social Security numbers as identifiers.

Additional files pulled from national and state public health registries were also present in the affected systems. These datasets, some of which were closed to new entries as early as 1999, included names and Social Security numbers used in epidemiology research and participant recruitment.

Altogether, the university estimates that approximately 1.15 million individuals may have had personal data included in those historical datasets.

Why the Disclosure Took Months

Although the intrusion was detected in late August 2025, the university said it took months to determine whose information had been affected.

The attackers encrypted a large volume of research data, leaving investigators without immediate visibility into the contents of the compromised files. Once the systems were restored using a decryption tool, investigators had to conduct a detailed electronic review to identify records containing personal information.

University officials said the age and complexity of the datasets also contributed to the delay. Many of the records were tied to studies conducted decades ago and stored in legacy research environments.

Notification letters were first sent on February 23, 2026 to participants in the Multiethnic Cohort Study whose information was confirmed to be present in the exposed files. A broader public notice followed on February 27, with additional notifications expected to be distributed by email in early March to roughly 900,000 individuals whose contact information could be located.

Response and Security Measures

The university said it notified law enforcement and brought in outside cybersecurity experts shortly after discovering the breach.

According to the institution, investigators obtained a decryption tool from the attackers and received confirmation that the data they claimed to have taken had been destroyed. Officials said there is currently no evidence that the compromised information has been publicly released or misused, though the investigation remains ongoing.

In response to the incident, the university said it has undertaken a broad set of security upgrades across the cancer center’s research infrastructure. These include redesigning parts of the network, strengthening endpoint monitoring, migrating sensitive research servers into a centralized university data center, tightening access controls, and rebuilding compromised systems.

The university has also established new governance structures focused specifically on research cybersecurity, including an Information Security Governance Council for Research and a dedicated task force charged with updating policies and recommending long-term security improvements.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.