TL;DR: The University of Hawaii Cancer Center got hit by ransomware on August 31, 2025. They paid the attackers for a decryption tool and a promise to destroy the stolen data. The breach exposed Social Security numbers, driver's license numbers, and medical research data for approximately 1.2 million people. That includes 87,493 participants in the Multiethnic Cohort Study—one of Hawaii's largest ongoing cancer research projects—plus another 1.15 million people whose data came from historical state records including 2000 Department of Transportation files and 1998 Honolulu voter registration databases. Victims started receiving notification letters on February 23, 2026—nearly six months after the attack.

What Took Six Months?

The University of Hawaii discovered the ransomware attack on August 31, 2025. Notification letters went out on February 23, 2026. That's 176 days between "we got hacked" and "here's your credit monitoring."

UH says the delay was necessary to decrypt files and conduct a "comprehensive forensic review" to identify exactly whose data was compromised. Fair enough—ransomware investigations take time. But 176 days is a long time for someone's Social Security number to be floating around in criminal hands while they have no idea they're exposed [1].

Hawaii doesn't have a hard deadline for breach notification, but most state laws require notice within 60 to 90 days. UH almost doubled that timeline.

They Paid the Ransom

Here's the part UH tried to word carefully: "The University also obtained a decryption tool and ensured the destruction of exfiltrated data." Translation: they paid the ransom [2].

The university declined to disclose how much they paid. They also didn't share details about which ransomware group hit them or confirm whether "destruction of exfiltrated data" means anything beyond trusting criminals to keep their word.

Paying ransoms remains controversial for good reason. It funds criminal operations, encourages more attacks, and provides no real guarantee that stolen data won't be sold or leaked later. But when you're a cancer research center holding decades of patient data and facing permanent loss of research files, the calculation changes fast.

UH's official position is that they engaged with the threat actors "to protect the individuals whose sensitive information may have been compromised." Whether that protection materialized remains to be seen.

What Was Stolen

The breach hit the Cancer Center's epidemiology research servers—not clinical operations or patient care systems. But "research data" is a misleading euphemism for what was actually exposed [1][3]:

  • Social Security numbers — for research participants and individuals in historical state records
  • Driver's license numbers — pulled from 2000 Hawaii DOT records
  • Voter registration data — from 1998 Honolulu records
  • Dates of birth, addresses, and demographic information
  • Health research questionnaires — including responses from MEC Study participants about medical history and lifestyle

The Multiethnic Cohort Study, or MEC, is one of the nation's largest prospective cancer research studies. It's been running since 1993, tracking health outcomes across diverse ethnic populations in Hawaii and Los Angeles. Participants trusted their medical information to researchers. Now that data is in criminal hands [3].

Why 1.2 Million People?

That number is larger than Hawaii's entire population. Here's how it breaks down:

  • 87,493 people — MEC Study research participants, the core group receiving notification letters first
  • ~1.15 million people — individuals whose records came from historical databases the Cancer Center used for research recruitment, including Hawaii driver's license records from 2000 and Honolulu voter registration data from 1998 [2]

In other words, if you had a Hawaii driver's license 26 years ago or were registered to vote in Honolulu 28 years ago, your Social Security number might now be in this breach—even if you've never had cancer or participated in any research study.

The Cancer Center has email addresses for about 900,000 of the 1.15 million people in the historical databases. The rest will be notified through public announcements. If you lived in Hawaii in the late 1990s and haven't received a notification email, you should assume you're affected [2].

The Credit Monitoring Package

UH is offering affected individuals:

  • 12 months of complimentary credit monitoring
  • $1 million identity theft insurance coverage
  • A dedicated call center: (844) 443-0842, Monday–Friday

The call center opened March 2, 2026. Given the time zone difference, Hawaii residents can call between 3:30 a.m. and 4:00 p.m. local time—not exactly convenient hours for working people to discover their Social Security number was stolen [2].

What Wasn't Affected

UH emphasized that clinical operations and patient care were not impacted. The Cancer Center's treatment services, clinical trials operations, and patient medical records remain secure [1][2].

The attack targeted epidemiology research servers specifically. That's both good news (no active patient records compromised) and bad news (decades of research participant data with identifying information was all in one place).

The Pattern Continues

This is the playbook now. Ransomware gangs target healthcare and research institutions. They steal data before encrypting it. They demand payment for decryption keys AND for promises not to leak the data. Institutions pay because the alternative—losing years of research or patient records—is worse.

UH joins Conduent, UMMC, and dozens of other healthcare organizations that have been hit in the past year. The healthcare ransomware epidemic shows no signs of slowing.

What makes this breach particularly troubling is the historical data. You can stop participating in a cancer study. You can't go back in time and un-register to vote or un-apply for a driver's license. People who moved away from Hawaii decades ago, who forgot they ever gave the state their Social Security number, are now breach victims.

What You Should Do

If you lived in Hawaii in the 1990s or 2000s, if you ever participated in cancer research in Hawaii, or if you've received a notification letter:

  • Freeze your credit now. Don't wait for the notification letter. Call Equifax (800-349-9960), Experian (888-397-3742), and TransUnion (888-909-8872). Freezes are free.
  • Get an IRS Identity Protection PIN. Prevents tax fraud using your stolen SSN. Apply at irs.gov.
  • Take the credit monitoring. Yes, 12 months isn't enough. But it's free, and you should use every protection available.
  • Watch for medical identity theft. If your health questionnaires were compromised, monitor your health insurance statements for services you didn't receive.
  • Check the UH breach portal. More information is available at hawaii.edu/cancercenter/incident.

Trust Broken

Research institutions depend on public trust. People participate in cancer studies because they believe their data will be protected and their contribution will help others. The Multiethnic Cohort Study has generated valuable insights about cancer risks across diverse populations. That work matters.

But when you promise confidentiality and then lose Social Security numbers to ransomware gangs, trust erodes. When you take six months to tell people, trust erodes further. When the breach extends to millions of people who never even knew their data was in your system, you've broken something that won't easily heal.

The next time a researcher asks someone in Hawaii to participate in a health study, they'll have to overcome the memory of this breach. That's the real cost.

Sources

  1. SecurityWeek — 1.2 Million Affected by University of Hawaii Cancer Center Data Breach (March 2026)
  2. University of Hawaii System News — Notice of UH Cancer Center cyberattack affecting personal information (February 27, 2026)
  3. CPO Magazine — Ransomware Attack at the University of Hawaii Cancer Center Affects 1.2 Million People (March 2026)
  4. The Record — University of Hawaiʻi Cancer Center confirms data leak following ransomware attack (2026)
  5. BleepingComputer — University of Hawaii Cancer Center hit by ransomware attack (2026)