Full Report
The University of Hawaii confirmed that a ransomware gang stole the data of nearly 1.2 million individuals in August 2025 after breaching its Cancer Center's Epidemiology Division. [...]
Analysis Summary
# Incident Report: UH Cancer Center Ransomware and Data Exfiltration
## Executive Summary
In August 2025, the University of Hawaii (UH) Cancer Center's Epidemiology Division suffered a ransomware attack. Threat actors successfully breached systems, exfiltrated sensitive data belonging to nearly 1.2 million individuals, and encrypted compromised systems, causing operational delays. The University reportedly paid the attackers for a decryption key and assurance of data destruction.
## Incident Details
- **Discovery Date:** Not explicitly stated, but confirmation and notification began around February 2026.
- **Incident Date:** August 2025
- **Affected Organization:** University of Hawaii (UH) Cancer Center, specifically the Epidemiology Division.
- **Sector:** Higher Education / Healthcare Research
- **Geography:** Hawaii, USA
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025 (Date of breach)
- **Vector:** Not specified in detail, but involved gaining access to systems supporting the Epidemiology Division.
- **Details:** Attackers gained access resulting in subsequent system encryption and data theft.
### Lateral Movement
- **Details:** Attackers accessed research files supporting a single UH Cancer Center research project within the Epidemiology Division.
### Data Exfiltration/Impact
- **Details:** Attackers stole Personal Identifiable Information (PII) and sensitive health data belonging to approximately 1.2 million individuals involved in various historical epidemiological studies (1993–2000s). This included names, Social Security Numbers (SSNs), driver's license numbers, and health information. Systems were also encrypted, causing damage and delays.
### Detection & Response
- **Details:** The incident was revealed in a December 2025 report to the state legislature. Notifications were sent out starting February 23, 2026. The university confirmed paying the attackers to receive a decryption tool and secure the destruction of illegally obtained data.
## Attack Methodology
- **Initial Access:** Not specified.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Implied access/theft of credentials necessary to access research file servers.
- **Discovery:** Implied reconnaissance to locate and access sensitive research databases.
- **Lateral Movement:** Within systems supporting the Epidemiology Division research projects.
- **Collection:** Compiling names, SSNs, DL numbers, and health data from historical research files spanning multiple studies.
- **Exfiltration:** Stealing the collected sensitive data prior to/during encryption.
- **Impact:** System encryption (Ransomware) leading to operational disruption and data theft.
## Impact Assessment
- **Financial:** Cost associated with incident response investigation, notifications, and ransom payment (if applicable).
- **Data Breach:** Data of nearly 1.2 million individuals compromised. Included names, SSNs, DL numbers, and health information related to MEC Study (1993-1996) and other public health registry data.
- **Operational:** Extensive damage and delays to UH's restoration efforts due to encryption.
- **Reputational:** Significant negative impact due to the scale of the PII/SSN breach associated with a major university research center.
## Indicators of Compromise
- *No specific IoCs (URLs, IPs, hashes) were provided in the source material.*
- **Behavioral indicators:** Large-scale data staging and exfiltration; system encryption events.
## Response Actions
- **Containment:** Incident was isolated to systems within the Epidemiology Division research project.
- **Eradication:** The specific steps are not detailed, but included obtaining a decryption tool from the threat actors.
- **Recovery:** Undertaking restoration efforts delayed by the encryption event. Notifying affected individuals starting February 2026.
## Lessons Learned
- **Key Takeaways:** Single-division research systems can hold extremely sensitive historical datasets (e.g., SSNs combined with health data) that pose a major risk if compromised. Ransomware remains a viable threat, even against educational/research entities.
- **What could have been done better:** Improved segmentation between clinical/non-clinical operations, and potentially enhanced controls around legacy data storage dating back to the 1990s.
## Recommendations
- **Prevention measures for similar incidents:** Implement strong network segmentation, isolate research environments from core institutional systems, and review and minimize the storage of highly sensitive PII (like SSNs) in historical research datasets, ideally migrating them to more hardened, isolated archives or employing advanced pseudonymization techniques where appropriate.