University of Hawaiʻi Cancer Center Ransomware Attack Exposes Data of Over a Million Individuals
Key Takeaways
- A ransomware attack on the University of Hawaiʻi Cancer Center exposed sensitive personal data, including Social Security numbers and driver’s license information tied to long-standing research records.
- The breach included Social Security numbers and other identifying information, increasing the risk of identity theft, financial fraud, and long-term privacy concerns for those impacted.
- Much of the compromised information originated from decades-old epidemiological studies and government records, raising questions about how long sensitive data is stored and how securely it is maintained.
Injured?
What You Need to Know and How It Could Lead to Legal Action
In early 2026, the University of Hawaiʻi recently confirmed that a significant cyberattack involving ransomware had exposed personal information for potentially up to 1.2 million individuals.
Many patients entrusted their sensitive details to the care center, and when companies fail to uphold a duty of care to that confidential information, they can be held accountable for not protecting with adequate cybersecurity.
The University of Hawaiʻi Cancer Center Ransomware Data Breach Overview
The breach occurred when unauthorized third parties infiltrated servers supporting the University of Hawaiʻi Cancer Center’s Epidemiology Division in late August 2025, exploiting vulnerabilities in the system and deploying ransomware that encrypted data and allowed attackers to copy sensitive information.
The university first identified the attack on August 31, 2025, and later disclosed the incident in a report to the Hawaiʻi state legislature. It took months of investigation and system recovery efforts before officials fully assessed the scope of the breach.
What Data Was Exposed in the University of Hawaiʻi Cancer Center Data Breach?
According to official disclosures, the cyberattack compromised multiple categories of sensitive data:
- Social Security numbers (SSNs)
- Driver’s license numbers
- Names and identifiers from historical research records
- Some health-related information used in epidemiological studies
Most of the affected data originated from the Multiethnic Cohort (MEC) Study, a long-term research project begun in the early 1990s that relied on historical government records to recruit participants.
The university reported that 87,493 study participants’ information was definitively accessed. Additionally, records drawn from older driver’s licenses and Hawaii voter registration databases, which once contained SSNs, may have exposed as many as 1.15 million other individuals.
The Institution’s Response and Restoration Efforts
Once the breach was detected, the University of Hawaiʻi disconnected affected systems and engaged cybersecurity experts to investigate and assist recovery.
The university obtained a decryption tool from the threat actors in exchange for payment, a controversial decision that the university says helped recover encrypted systems and secured an assurance that stolen data was destroyed.
Verified that clinical patient care systems, student records, and clinical trial data were not affected.
Notified law enforcement and launched a systemwide IT review across all University of Hawaiʻi campuses.
University officials have maintained that, to date, there is no evidence that the stolen information has been published or misused.
Support for Affected Individuals
Recognizing the potential risks associated with SSN and identity exposure, the University of Hawaiʻi has offered:
- 12 months of free credit monitoring and identity theft protection
- Identity theft insurance coverage
- Dedicated resources and communications to help individuals check whether their data was involved.
How to Protect Yourself After a Data Breach
If you have received notification that your personal data may have been involved in the University of Hawaiʻi breach or suspect you were affected:
- Sign up for the free credit monitoring and identity protection services offered through the university.
- Place fraud alerts or freezes on your credit files with major credit bureaus.
- Regularly review financial statements and credit reports for unauthorized activity.
- Be alert to phishing attempts or suspicious communications purporting to be from official sources.
- Take legal action if you suffer damages due to the preventable data breach.
Legal Options for Victims
Despite the university’s immediate response, several issues could carry legal consequences. Here’s the breakdown.
Firstly, your Social Security numbers may have been exposed. SSNs are among the most sensitive personal data identifiers and are extremely valuable to identity thieves.
Additionally, the breach occurred in August 2025, but detailed notifications to affected individuals were not completed until early 2026. That’s a lot of wasted time and missed opportunities for victims to respond promptly to protect themselves.
Plus, many of the records were originally collected decades ago and stored under older systems that did not adhere to contemporary data protection standards.
These factors raise potential grounds for class action lawsuits by affected individuals seeking damages for the risk of identity theft, the time and effort required to monitor their identity, emotional distress, and potentially faulty security practices.
Morgan & Morgan’s data breach lawyers specialize in data breach litigation and will investigate whether the university’s policies and breach response complied with applicable state and federal laws.
If you or a loved one believes your data was exposed, contact us today for a free case evaluation to learn more about your legal options. You may be entitled to compensation.
We've got your back
Injured?
Not sure what to do next?
We'll guide you through everything you need to know.
