What happened
University of Hawaiʻi Cancer Center data breach and delayed notification occurred when a ransomware attack in August 2025 compromised servers supporting research operations at the University of Hawaiʻi Cancer Center. An unauthorized third party accessed and encrypted research files and stole participants’ Social Security numbers and other personal information. The university engaged cybersecurity experts to mitigate the breach and obtained a decryption tool, but it did not notify affected study participants until months later, raising compliance concerns with state breach reporting requirements. UH officials have not disclosed the number of individuals impacted, which research was affected, or whether a ransom was paid. The attack illustrates operational and legal risks tied to ransomware targeting research infrastructure and sensitive participant data.
Who is affected
Participants in the impacted cancer research study, the University of Hawaiʻi’s research operations, and potentially other academic research stakeholders face direct exposure of personal information and operational disruption.
Why CISOs should care
Delayed notification after data theft can trigger regulatory scrutiny, legal risk, and reputational damage, while ransomware targeting research systems underscores the importance of securing research infrastructure and sensitive data.
3 practical actions
- Review breach reporting practices: Ensure incident response plans align with applicable legal breach notification timelines.
- Enhance ransomware defenses: Harden research and data-centric environments with segmentation, backups, and prompt detection mechanisms.
- Validate third-party support: Confirm external cybersecurity partners’ roles and effectiveness in incident response engagements.