Full Report
The University of Hawaii has confirmed that a ransomware gang stole the data of nearly 1.2 million individuals after breaching its Cancer Center’s Epidemiology Division in August 2025. Founded in 1907, the University of Hawaii (UH) System operates 3 universities and 7 community colleges, as well as multiple campuses and research centers across the Hawaiian…
Analysis Summary
# Incident Report: University of Hawaii Cancer Center Ransomware Attack
## Executive Summary
In August 2025, a ransomware group breached the University of Hawaii (UH) Cancer Center’s Epidemiology Division, resulting in the theft of data belonging to approximately 1.2 million individuals. The breach involved sensitive research participant data, including records from the Multiethnic Cohort (MEC) Study. The university began mass notifications in February 2026 after confirming the scope of the exfiltration.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Notifications began Feb 23, 2026)
- **Incident Date:** August 2025
- **Affected Organization:** University of Hawaii Cancer Center (Epidemiology Division)
- **Sector:** Education / Healthcare / Research
- **Geography:** Honolulu, Hawaii, USA
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025
- **Vector:** Ransomware attack (Specific entry vector such as Phishing or RDP exploit not specified in public notice)
- **Details:** Attackers gained access to the Cancer Center’s Epidemiology Division network.
### Lateral Movement
- Internal movement within the Epidemiology Division's research databases and email systems.
### Data Exfiltration/Impact
- **August 2025:** Attackers stole data belonging to 1.2 million individuals.
- **February 2026:** Identification of specific cohorts, including 87,000 MEC Study participants and 900,000 additional email addresses.
### Detection & Response
- **Detection:** Discovered via ransomware deployment/encryption or post-incident investigation.
- **Response Actions:** UH initiated a forensic investigation, launched a dedicated incident website (hxxp[://]www[.]hawaii[.]edu/cancercenter/incident/), and began sending notification letters in late February 2026.
## Attack Methodology
- **Initial Access:** Ransomware group (Methodology consistent with modern RaaS operators).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Scanned for sensitive research data and contact lists.
- **Lateral Movement:** Moved from initial entry point to Epidemiology Division servers.
- **Collection:** Aggregated data from the Multiethnic Cohort (MEC) Study (1993-1996).
- **Exfiltration:** Massive data theft of ~1.2 million records.
- **Impact:** Data encryption and unauthorized disclosure (Double extortion).
## Impact Assessment
- **Financial:** Significant costs associated with forensic auditing, credit monitoring services, and legal notifications.
- **Data Breach:** Exposure of sensitive research data, participant names, and approximately 900,000 email addresses.
- **Operational:** Disruption to the Cancer Center’s research activities and staff operations.
- **Reputational:** High impact; affects trust in long-term longitudinal studies (e.g., MEC Study) and the university’s ability to protect sensitive clinical research.
## Indicators of Compromise
- **Network indicators:** None listed in the public report (Monitor for unauthorized connections to known ransomware C2 nodes).
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Large-scale data egress during August 2025; unauthorized administrative access within the research network.
## Response Actions
- **Containment measures:** Isolation of the Epidemiology Division’s affected servers.
- **Eradication steps:** External forensic experts engaged to clear the environment of malicious artifacts.
- **Recovery actions:** Deployment of a substitute notice and notification website; provision of credit monitoring for MEC Study participants.
## Lessons Learned
- **Key takeaways:** Research data remains a high-value target for ransomware groups due to the sensitivity of participant PII/PHI.
- **What could have been done better:** Earlier detection and reporting; the gap between the August 2025 breach and February 2026 notification suggests a lengthy and complex discovery/review phase.
## Recommendations
- **Network Segmentation:** Isolate research divisions and epidemiology databases from the broader University of Hawaii administrative network.
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced on all remote access points and research portals.
- **Encryption at Rest:** Ensure historical research data (like the 1993-1996 MEC Study) is encrypted to prevent plain-text exfiltration.
- **Log Management:** Implement robust SIEM monitoring to detect large-scale data transfers to unauthorized external IPs.