Data breach reported by University of Hawaiʻi Cancer Center

Key Facts: University of Hawaiʻi Cancer Center Data Breach

• Date reported: February 28, 2026.
• Unauthorized access identified: August 31, 2025 (Timeline corrected).
• Target entity: University of Hawaiʻi Cancer Center (uhcancercenter.org) – Epidemiology Division.
• Source of breach: Ransomware group (unidentified).
• Data types: Social Security numbers (SSNs), driver’s license numbers (circa 2000), voter registration data (circa 1998), and research-related health information.
• Status: Confirmed; official notice letters and public disclosure issued in late February 2026.
• Severity: High; involves highly sensitive identifiers for approximately 1.24 million individuals.

Start continuous breach monitoring with UpGuard.

What happened in the University of Hawaii Cancer Center data breach?

The University of Hawaiʻi Cancer Center disclosed a critical data breach on February 28, 2026, stemming from a ransomware attack first detected on August 31, 2025. The breach targeted servers within the center's Epidemiology Division, which contained decades of research data.

Critically, the university confirmed that clinical trials, patient care systems, and student records were not impacted. However, the attackers encrypted and potentially exfiltrated historical datasets used for research recruitment. Due to the "extensiveness" of the encryption, UH engaged cybersecurity experts and made the difficult decision to pay a ransom to obtain a decryption tool and secure an affirmation that any stolen data was destroyed.

The compromise includes records for roughly 87,000 participants in the long-running Multiethnic Cohort (MEC) Study and an additional 1.15 million individuals whose information was contained in historical state records (including year 2000 driver's license files and 1998 voter registration files).

Who is behind the incident?

While a specific threat actor has not been named, the incident follows the pattern of "Big Game" ransomware attacks targeting research institutions. UH has reported the incident to the FBI and is conducting a system-wide review of IT infrastructure across all ten UH campuses to strengthen future protections.

Impact and risks for those affected

The primary risk for the 1.24 million affected individuals is the exposure of Social Security numbers and driver’s license data. Because SSNs were used as primary identifiers in the 1990s and early 2000s, these historical files act as a "time capsule" for identity thieves.

While UH has received assurances that the stolen data was deleted, the permanent nature of SSNs and DL numbers means individuals should remain vigilant indefinitely. Such incidents carry a heightened risk of tax fraud, financial account takeovers, and targeted phishing campaigns.

How to protect your identity

• Contact the Dedicated Call Center: If you suspect you are part of the 1.24 million impacted, call (844) 443-0842 (8:30 a.m. to 9 p.m. Central Time) to verify your status.
• Place a Security Freeze: Contact the three major credit bureaus (Equifax, Experian, TransUnion) to freeze your credit, preventing new accounts from being opened in your name.
• File Taxes Early: Since SSNs were part of the breach, filing your 2025/2026 taxes early can prevent a fraudster from claiming your refund.

Frequently Asked Questions

What happened in the University of Hawaii Cancer Center security breach?

On February 28, 2026, UH disclosed that a ransomware attack discovered on August 31, 2025, compromised research servers. The breach potentially exposed the personal data of approximately 1.24 million individuals, primarily from historical research recruitment lists.

When did the University of Hawaii Cancer Center breach occur?

The intrusion was detected on August 31, 2025. It took several months for the university to decrypt the files and conduct a full forensic review to identify exactly which individuals were affected.

What data was exposed?

The exposed information includes names, Social Security numbers, driver’s license numbers (from 2000 DOT records), and voter registration data (from 1998 Honolulu records). Some research study health questionnaires were also involved.

Is my personal information at risk?

If you participated in UH cancer studies between 1993 and 2007, or if you were a registered driver or voter in Hawaiʻi around the year 2000, your data is at risk. Clinical patients treated recently are generally not affected.

How can I protect myself after this data breach?

• Call the UH hotline at (844) 443-0842 to verify your involvement.
• Enable multi-factor authentication (MFA) on all financial accounts.
• Monitor your credit reports for any unauthorized inquiries or new accounts.
• Take advantage of the 12 months of free monitoring offered by the university.

What steps should companies take after being impacted by this breach?

The University of Hawaiʻi has already replaced its existing firewalls with hardware featuring enhanced security controls, installed 24/7 endpoint monitoring, and moved sensitive research servers to more secure data centers managed by UH Information Technology Services.