A 2025 cyberattack on the University of Hawaiʻi (UH) Cancer Center’s Epidemiology Division may have exposed files containing Social Security numbers and driver’s license numbers, the university announced last week.
According to the announcement, the incident mostly affected two datasets: Hawaiʻi driver’s license records collected in 2000 from the State Department of Transportation, and City and County of Honolulu voter registration records collected in 1998. At the time, identifiers in both datasets were typically Social Security numbers.
The Hawaiʻi driver’s license and Honolulu voter registration records were primarily used by the University to recruit research study participants, principally for the Multiethnic Cohort Study. Some of the exposed files also included research data with health-related information on study participants and certain other individuals.
A total of 87,493 Multiethnic Cohort Study participants were potentially impacted. Another 1.15 million individuals may have had personal information included in historical driver’s license and voter registration records that used Social Security numbers as identifiers.
“The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,” said Naoto T. Ueno, director of the UH Cancer Center. “We take this matter extremely seriously and are committed to transparency, accountability, and strengthening protections for the research data entrusted to us.”
Ongoing investigation and delayed notification
On or about Aug. 31, 2025, the UH Cancer Center learned it was the victim of a cyberattack isolated to specific systems supporting its Epidemiology Division. An unauthorized third party encrypted large amounts of data and provided proof that it had potentially exfiltrated a portion of that data.
There was no impact on information held by the Cancer Center’s Clinical Trials operations, patient care, or any other divisions, and no impact on University of Hawaiʻi student records.
The Cancer Center notified law enforcement. Working with third-party cybersecurity experts, the Cancer Center obtained a decryption tool and secured an affirmation that the accessed information was destroyed.
To date, the university said there is no evidence that any of the information has been published, shared, or misused, and it has not received reports of fraud or identity theft related to the cyberattack.
The affected systems were immediately taken offline and have since been secured and reviewed by experts. The university said the threat is no longer ongoing.
Although the Cancer Center detected the incident on Aug. 31, 2025, it did not confirm the full extent of the potential impact until February 2026 “due to the volume and complexity of the encrypted data and the age of the studies and records,” according to the university.
The university continues investigations to assess whether other sensitive information was impacted.
Cybersecurity enhancements and reviews
The university has implemented extensive cybersecurity and governance enhancements following the attack. This includes redesigning and hardening the network, extending the deployment of modern endpoint protection with 24/7 monitoring, upgrading hardware, migrating sensitive research servers into the UH Information Technology Services data center, implementing stricter access controls for sensitive data, and enforcing cybersecurity training for Cancer Center staff.
The university has also established a new Information Security Task Force responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise-level controls and investments. It also created a new Information Security Governance Council for Research, responsible for coordinating research-related cybersecurity.
In addition, the university has launched internal reviews, and independent third parties have been engaged to investigate the cyberattack and assess and validate the security controls for the entire UH Cancer Center.
“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said UH President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”
