A ransomware attack on the University of Hawaii Cancer Center exposed sensitive personal information from participants in a cancer research study, including Social Security numbers. Despite discovering the breach in August, the university did not notify affected individuals for several months, raising concerns about compliance with state breach notification laws, transparency, and incident response practices in sensitive research environments.

Universities increasingly manage large volumes of sensitive data, particularly in medical and research settings. When breaches occur, institutions are subject to legal reporting timelines, ethical obligations to participants, and scrutiny over decisions such as ransom payments. The University of Hawaii case highlights the challenges academic institutions face when ransomware impacts regulated research data.

In August, threat actors breached servers at the University of Hawaii Cancer Center, encrypted research files related to a cancer study, and demanded payment in exchange for a decryption tool.

The university disclosed the incident months later in a December report to the state legislature. At the time of disclosure, affected study participants had not yet been notified that their personal information may have been stolen.

University officials declined to provide details about the scope of the breach, including the number of affected individuals, the specific research project involved, or whether a ransom was paid.

According to the legislative report, attackers gained unauthorized access to Cancer Center systems, encrypted study-related data, and exfiltrated sensitive personal information.

The university stated that it engaged third-party cybersecurity experts, obtained a decryption tool, and worked to secure the “destruction” of stolen data. However, no technical evidence or verification methods were disclosed to confirm that the attackers no longer retained copies of the data.

Post-incident actions included password resets, deployment of new endpoint protection tools, rebuilding compromised systems, and conducting a third-party security assessment.

The exposed data reportedly includes Social Security numbers and other personally identifiable information tied to cancer research participants.

Delays in notification increase the risk of identity theft, fraud, and long-term privacy harm. Additionally, the lack of transparency complicates oversight and undermines trust between research institutions and study participants who provided sensitive data under assurances of confidentiality.

Hawaii state law generally requires government agencies to notify the legislature of data breaches within 20 days, including details on the number of affected individuals and notification actions.

In this case, the breach was discovered in August, but the report was filed in December, with no indication that law enforcement requested a delay. The omission raises questions about compliance, governance, and accountability in public research institutions handling regulated data.

While federal authorities such as the Federal Bureau of Investigation discourage paying ransoms, industry experts note the reality is often more complex.

Local cybersecurity leaders point out that organizations facing operational paralysis and sensitive data exposure may choose to pay despite the risks, acknowledging there is no guarantee attackers will honor promises to decrypt files or delete stolen data.