The University of Hawaii has confirmed that a ransomware gang breached its Cancer Center in August 2025 and stole sensitive data from a research project, including documents dating back to the 1990s that contained Social Security numbers.
The University of Hawaii system, founded in 1907, includes three universities, seven community colleges, and multiple campuses and research centers spread across the Hawaiian Islands. The University of Hawaii Cancer Center is based in Honolulu’s Kakaʻako district and employs more than 300 faculty and staff members, along with around 200 affiliate researchers.
In a report submitted to the state legislature, the university said the August 31 cyberattack affected only one research project at the Cancer Center and did not disrupt patient care or clinical operations. However, the attack caused serious technical damage by encrypting systems, which slowed recovery efforts and delayed a full understanding of how much data was impacted.
According to the university, once the breach was discovered in late August, the affected systems were immediately taken offline. Cybersecurity experts were brought in to investigate, and relevant external parties were notified. During the investigation, the university made the decision to communicate with the attackers in an effort to protect individuals whose data may have been compromised.
Officials said the stolen files were limited to research materials and did not include medical treatment records. Early findings suggested that most of the files contained research data without personal identifiers. However, further review revealed older files from the 1990s that included Social Security numbers, which were used at the time to identify study participants before newer identification methods were adopted.
The university said it worked with outside cybersecurity specialists to obtain a decryption tool and to ensure the secure deletion of data stolen by the attackers. These steps were taken to reduce the risk to individuals whose sensitive information may have been exposed.
The University of Hawaii has not yet notified affected individuals but said it will do so once accurate contact information is confirmed. The institution has also taken additional steps to strengthen its security, including installing new endpoint protection software, replacing compromised systems, resetting passwords, upgrading firewall software, and conducting independent security audits of the Cancer Center.
This incident comes amid a broader rise in cyberattacks targeting major organizations in Hawaii and across the United States. In June, Hawaiian Airlines reported a cyberattack that disrupted access to some internal systems, though flight safety was not affected.
Several US universities have also reported breaches in recent months. Princeton University, Harvard University, and the University of Pennsylvania disclosed that attackers used voice phishing tactics to access systems containing data on donors, staff, students, and alumni. The Clop ransomware group later breached Harvard and the University of Pennsylvania again, stealing sensitive personal and financial data by exploiting a previously unknown vulnerability in Oracle’s E-Business Suite software.
In another case, Baker University revealed in December that attackers had breached its network the year before and stolen personal, health, and financial information belonging to more than 53,000 people.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The University of Hawaii incident highlights the long-lasting risks of storing historical data and the growing threat that ransomware attacks pose to research institutions and universities.
