University of Hawaiʻi Cancer Center Discloses Ransomware Attack Impacting 1.24 Million Individuals

Executive Summary

The University of Hawaiʻi (UH) Cancer Center has publicly disclosed a significant data breach resulting from a ransomware attack detected on August 31, 2025. The incident compromised servers in the center's Epidemiology Division, exposing the sensitive personal data of approximately 1.24 million individuals. The compromised information includes decades of research data, such as Social Security numbers, driver's license numbers from around the year 2000, and 1998 voter registration records. Notably, the university confirmed it made the decision to pay the ransom to the unidentified threat actors to receive a decryption key and an assurance that stolen data would be deleted. This event highlights the difficult decisions faced by victim organizations and the long-tail risks associated with historical research data.

Threat Overview

On August 31, 2025, an unidentified ransomware group successfully attacked and encrypted servers within the UH Cancer Center's Epidemiology Division. A subsequent forensic investigation revealed the potential exposure of data for 1.24 million people. The breach did not affect active patient care systems or student records.

The compromised data is highly sensitive and historical in nature:

• Multiethnic Cohort (MEC) Study: Data for ~87,000 participants.
• Historical State Records: Data for an additional 1.15 million individuals, used for research recruitment.
• Specific Data Types: Social Security numbers, driver's license numbers (c. 2000), and voter registration records (c. 1998).

The decision to pay the ransom is a contentious one. While it may have been seen as the only way to recover the encrypted research data, it provides no guarantee that the attackers actually deleted the exfiltrated copies. Victims remain at high risk.

Technical Analysis

While the specific ransomware variant was not named, the attack pattern is consistent with modern ransomware operations.

Likely MITRE ATT&CK Techniques:

• Initial Access: Common vectors include T1566 - Phishing, exploiting a vulnerable public-facing application (T1190 - Exploit Public-Facing Application), or brute-forcing remote services like RDP (T1110 - Brute Force).
• Discovery: Once inside, the attackers would have performed extensive network reconnaissance to locate high-value data, such as the research servers in the Epidemiology Division (T1018 - Remote System Discovery).
• Collection: Staging sensitive data from the research databases T1213 - Data from Information Repositories.
• Exfiltration: Transferring the collected data to attacker-controlled infrastructure before deploying the encryption payload T1041 - Exfiltration Over C2 Channel.
• Impact: Encrypting the data on the servers to deny access and force the ransom payment T1486 - Data Encrypted for Impact.

The payment of the ransom is a critical detail. It emboldens threat actors and funds their future operations. Furthermore, the 'affirmation' of data destruction from a criminal group is unreliable and should not be trusted. All exposed data must be considered permanently compromised.

Impact Assessment

• For the University: Significant financial costs (ransom payment, incident response, notification, credit monitoring), reputational damage, and potential loss of trust from research participants and funding bodies. Regulatory scrutiny under HIPAA is also likely.
• For the Victims: A severe and lifelong risk of identity theft and fraud due to the exposure of immutable data like Social Security numbers. The age of the data does not diminish its value to criminals.
• For the Research Community: This incident may have a chilling effect on individuals' willingness to participate in long-term research studies that require the collection of sensitive PII.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables for Detection

Detection & Response

Detection:

1. EDR/XDR: Deploy advanced endpoint protection to detect ransomware behaviors like mass file modification and deletion of shadow copies. Use D3FEND's File Content Rules to flag suspicious file changes.
2. Network Segmentation Monitoring: Monitor traffic between network segments. An alert should be triggered if a system from a less secure zone (e.g., user workstation VLAN) attempts to connect to a high-security research data zone.
3. Backup Integrity Monitoring: Monitor backup systems for signs of tampering or deletion attempts.

Response:

• The incident has been reported to the FBI for investigation.
• UH is mailing notification letters and presumably offering credit monitoring services to the 1.24 million affected individuals.

Mitigation

Strategic Mitigations:

• Data Minimization and Archiving: For historical research data, review and implement a data minimization policy. If raw PII is no longer needed for active research, it should be de-identified, anonymized, or securely archived offline to reduce the attack surface.
• Zero Trust Segmentation: Isolate critical research data repositories in a micro-segmented network zone (an enclave) with strict ingress/egress filtering and multi-factor authentication required for any access.

Tactical Mitigations:

• Immutable Backups: Maintain multiple copies of critical data, with at least one copy being offline and immutable (e.g., on air-gapped tape or in cloud storage with object lock enabled).
• Patching: Aggressively patch all internet-facing systems and internal servers to close vulnerabilities.
• MFA Everywhere: Enforce MFA for all remote access, administrative access, and access to sensitive data repositories.