UH Cancer Center says cyberattack may have exposed data on nearly 1.24 million people

The University of Hawaiʻi says a 2025 ransomware attack against the UH Cancer Center’s Epidemiology Division may have exposed sensitive personal data tied to almost 1.24 million people. The university said the incident affected 87,493 Multiethnic Cohort Study participants and about 1.15 million additional individuals whose information appeared in historical driver’s license and voter registration records used for research recruitment.

UH says the attack was isolated to research systems in the Cancer Center’s Epidemiology Division. The university added that clinical trials operations, patient care, other UH Cancer Center divisions, and UH student records were not affected.

The numbers are large because the exposed files were old and broad. UH says the affected data included names paired with Social Security numbers or driver’s license numbers from Hawaiʻi Department of Transportation records collected in 2000 and City and County of Honolulu voter registration records collected in 1998, along with research and registry information connected to several long-running epidemiology studies.

What happened

UH says it discovered the cyberattack on or about August 31, 2025. The university says an unauthorized party encrypted large amounts of data and provided proof that it had potentially exfiltrated part of that data. UH later said it worked with third-party cybersecurity experts to obtain a decryption tool and an affirmation that the accessed information was destroyed. As of its latest public update, UH says it has no evidence that the information has been published, shared, or misused.

A report submitted to the Hawaiʻi Legislature described the event as a ransomware attack on Cancer Center research systems and said the university made the difficult decision to engage with the threat actors in order to protect affected individuals. That legislative filing also said the incident did not affect clinical operations or patient care.

Who may be affected

Group	Estimated number
Multiethnic Cohort Study participants	87,493
Additional people in historical driver’s license and voter registration files	Approximately 1.15 million
Combined potential total	Nearly 1.24 million

These figures come directly from the university’s February 27 notice and incident resource page.

What data may have been exposed

UH says the compromised research files may have included:

• Names and Social Security numbers from historical Hawaiʻi driver’s license and Honolulu voter registration records
• Driver’s license numbers and study-related information for participants in the Multiethnic Cohort Study and other epidemiology studies
• Health-related questionnaire data and information pulled from national and state public health registries

The university says its review is still ongoing, but it believes any additional newly identified cases involving names plus SSNs or driver’s license numbers will be nominal and, where possible, those individuals will receive separate notice.

Why notification took months

UH says the delay came from the volume of encrypted data, the complexity of the restoration work, and the age of the studies and records involved. On its incident site, the university says it did not confirm the full personal information impact until February 2026, after restoring access and conducting a detailed electronic review of the files.

That timeline has drawn scrutiny. Reporting on the earlier legislative disclosure noted that the incident was discovered in August 2025, while broader public notification did not arrive until late February 2026.

What UH is offering

UH says it mailed notification letters on February 23, 2026 to the first confirmed group of affected people, the 87,493 MEC Study participants. The university says it is also notifying others through email where addresses have been found, which it estimates at about 900,000 email addresses, along with statewide publication and its dedicated incident website.

The school says potentially affected people can receive:

• 12 months of free credit monitoring
• $1 million in identity theft insurance
• Call center support to verify whether their information was involved

What UH says it changed after the attack

UH says it has taken several steps since the breach, including:

• redesigning and hardening parts of the network
• expanding endpoint protection with 24/7 monitoring
• upgrading hardware
• moving sensitive research servers into the UH Information Technology Services data center
• tightening access controls for sensitive data
• enforcing cybersecurity training for Cancer Center staff

The university also says it created a new Information Security Governance Council for Research and an Information Security Task Force to improve cybersecurity oversight across the system.

What this means

This is one of the larger university-linked breach disclosures of 2026 so far because of the age and size of the historical files involved. Even though the incident did not hit patient care systems or student records, the presence of Social Security numbers and driver’s license-linked identifiers makes it a serious exposure. UH says there is no evidence of misuse so far, but the scale of the notification means this event will likely stay under close watch.

FAQ