University of Hawaii says a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants, including documents from the 1990s containing Social Security numbers.
Founded in 1907, the University of Hawaii (UH) System now includes 3 universities and 7 community colleges, as well as 10 campuses and training and research centers across the Hawaiian Islands. Its Cancer Center is located in the Kakaʻako district of Honolulu and has over 300 faculty and staff, as well as an additional 200 affiliate members.
In a report to the state legislature, UH said the August 31 incident affected a single research project at the UH Cancer Center, without impacting clinical operations or patient care.
However, the extensive damage caused by encrypting the compromised systems delayed UH’s restoration efforts and investigation into the attack’s impact.
“Upon discovery in late August, the affected systems were immediately disconnected, experts were engaged to conduct a comprehensive investigation and external stakeholders were notified,” a UH spokesperson told BleepingComputer.
“During this process, UH made the difficult decision to engage with the threat actors in order to protect individuals whose information may have been affected. A limited set of research files (not medical treatment records), including some containing historical personal information, was involved.”
Initial reviews found that most affected files were related to a specific cancer study and contained only research data, without personal identifiers. However, further analysis uncovered files from the 1990s, containing Social Security numbers used to identify research participants before the university adopted different identification methods.
Ransom paid for decryptor, deletion of stolen data
UH added that it also worked with external cybersecurity experts to obtain a decryption tool and “secure destruction of the information the threat actors illegally obtained” to “protect the individuals whose senstive information may have been compromised.”
Although the university has yet to notify those whose data was stolen in the ransomware attack, UH told BleepingComputer that it will alert them “as soon as contact information has been determined.”
In response to the attack, UH has also taken measures to secure its systems against further breach attempts, including installing endpoint protection software, replacing compromised systems, resetting passwords, replacing firewall software, and conducting third-party security audits of the Cancer Center.
In June, Hawaiian Airlines also disclosed a cyberattack that had disrupted access to some of its IT systems, but didn’t affect flight safety.
Several other universities in the United States have also been breached in voice phishing attacks starting late October, with Princeton University, Harvard University, and the University of Pennsylvania disclosing that their development and alumni activities systems were hacked to steal the data of donors, staff, students, and alumni.
The Clop ransomware gang also breached Harvard University and the University of Pennsylvania again, stealing sensitive personal and financial data from students, staff, and suppliers in a data theft campaign that exploited an Oracle E-Business Suite (EBS) zero-day vulnerability.
In December, Baker University also disclosed a data breach after attackers compromised its network the previous year and stole the personal, health, and financial information of more than 53,000 individuals.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.