UH Cancer Center Breach Affects 1.15 Million Records

The University of Hawai'i Cancer Center, a leading research institution in Hawaii and the Pacific, recently experienced a significant ransomware attack that compromised the personal information of approximately 1.15 million individuals in the United States. The breach primarily affected historical research records stored by the center’s Epidemiology Division, including files used to recruit participants for major studies such as the Multiethnic Cohort (MEC) Study.

This incident is considered severe due to the volume and sensitivity of the data exposed, as well as the age of some records, which date back to the late 1990s and early 2000s.

During the attack, an unauthorized third party gained access to research servers, encrypted data and potentially exfiltrated files containing personally identifiable information (PII) and protected health information (PHI). The exposed information includes Social Security numbers, driver license numbers (which were often based on Social Security numbers in Hawaii at the time), names, and in some cases, health-related research data and registry information.

The largest group affected consists of individuals whose data was collected from the State Department of Transportation in 2000 and City and County of Honolulu voter registration records from 1998. In total, about 1.15 million people are believed to have had their PII exposed, while 87,493 MEC Study participants may also have had PHI compromised.

The university worked with law enforcement and third-party cybersecurity experts to obtain a decryption tool and secure an affirmation from the attackers that any exfiltrated information was destroyed. As of this writing, there is no evidence that the stolen data has been published, shared or misused. The breach did not impact clinical trials, patient care, or student records held by the center.

University Of Hawai'i Cancer Center's response

To support those impacted, the university has established dedicated call centers where individuals can:

• Verify whether their information may have been involved
• Enroll in credit monitoring and identity protection services

The call center can be reached at 844-443-0842 and is open Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (with adjusted hours for Hawaii Standard Time).

In response to the breach’s severity and the ransomware method, the center has implemented extensive cybersecurity and governance enhancements. These include redesigning and hardening the network, deploying modern endpoint protection with 24/7 monitoring, upgrading hardware, migrating sensitive research servers to the university’s central IT data center, enforcing strict access controls and requiring cybersecurity training for all Cancer Center staff.

The university has also created a new Information Security Governance Council for Research and an Information Security Task Force to coordinate research-related cybersecurity and recommend further improvements.

Anyone who believes they may be affected should remain vigilant by monitoring their credit reports and financial accounts for unusual activity. Taking advantage of the free credit monitoring and identity theft insurance offered is strongly recommended.