UH Cancer Center data breach affects nearly 1.2 million people
Source: Bleeping Computer
Notification to Affected Individuals
On February 23, the UH Cancer Center sent notification letters to more than 87,000 people enrolled in its Multiethnic Cohort (MEC) Study (1993‑1996). The university is also notifying all other potentially impacted individuals whose contact details were found (approximately 900,000 email addresses).
“The MEC Study participants potentially impacted a total of 87,493 individuals. Additional individuals whose personal information may have been included in historical driver’s‑license and voter‑registration records with SSN identifiers number approximately 1.15 million,” the university said in a notice published on Friday.
Source: UH News notice
The university emphasized that there was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions, nor to UH student records.
Compromised Documents
The breach exposed several types of files, including:
- Two files containing names and Social Security numbers (SSNs) from a State Department of Transportation document (collected in 2000) and voter‑registration data (1998).
- Files with SSNs and driver’s‑license numbers.
- Health information from the MEC Study (1993‑1996) and three other diet‑and‑cancer studies.
- Two additional files from 1999 and the mid‑2000s with SSNs and names collected from public‑health registries for epidemiological research.
Investigation Findings
-
A December report to the state legislature indicated that the incident affected a single UH Cancer Center research project and was isolated to systems supporting the Epidemiology Division, without impacting clinical operations or patient care.
Report to the state legislature -
A follow‑up investigation showed that attackers accessed research files at the University of Hawaii Cancer Center, potentially stealing personal information such as SSNs and driver’s‑license numbers.
Amended investigation report (PDF) -
The attackers also encrypted the compromised systems, causing extensive damage and delaying UH’s restoration efforts and investigation into the attack’s impact.
University Response
When the attack was first confirmed, the University of Hawaii disclosed that it paid the attackers to obtain a decryption tool and to ensure the “secure destruction of the information the threat actors illegally obtained,” aiming to protect the individuals whose sensitive information may have been compromised.
“The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,” UH Cancer Center director Naoto T. Ueno said. “We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.”
In July 2023, the Hawaiʻi Community College (part of the University of Hawaii) also confirmed that it paid a ransomware gang to prevent the leak of data stolen from approximately 28,000 people.
Source: BleepingComputer article
Red Report 2026: Why Ransomware Encryption Dropped 38%
Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download the analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.