What You Need to Know about the University of Hawaii Cancer Center Data Breach

The University of Hawaii Cancer Center is the only National Cancer Institute-designated cancer center in Hawaii. Located in Honolulu, the center employs over 300 faculty and staff conducting critical epidemiological research studying cancer risks across diverse populations.

In August 2025, the Cancer Center fell victim to a ransomware attack that exposed Social Security numbers of up to 1.15 million people. The breach primarily affected the Multiethnic Cohort Study, a major cancer research project that began in 1993, studying cancer risks among 215,000 participants ages 45 to 75. Approximately 104,000 participants lived in Hawaii, with the rest in California.

The exposed data came from historical records dating back to the 1990s, when researchers used Hawaii driver's license records and Honolulu voter registration records to recruit participants. At that time, these government records included Social Security numbers as identifiers. The ransomware group encrypted the Cancer Center's servers and stole research files containing 87,493 confirmed study participants' information, plus approximately 1.15 million additional individuals whose data were in the historical records.

The university controversially decided to pay a ransom to obtain a decryption tool and secure assurances that the stolen data would be destroyed. As of February 2026, the university stated there is no evidence that the information has been published or misused. The university is offering 12 months of free credit monitoring and one million dollars in identity theft insurance.

When Was the University of Hawaii Cancer Center Data Breach?

The ransomware attack was discovered on or around August 31, 2025. Officials immediately disconnected affected systems and retained third-party cybersecurity experts to investigate. The ransomware group encrypted files on servers supporting research operations, making data inaccessible.

Due to extensive encryption, it took considerable time to restore systems and assess the full impact. The investigation determined that an unauthorized third party had accessed and could have exfiltrated a subset of research files from the compromised servers.

University officials made the difficult decision to engage with the threat actors and pay a ransom to obtain a decryption tool and secure assurances that the attackers would destroy the stolen data. While the FBI generally discourages paying ransoms because it encourages future attacks, many organizations facing encrypted systems make this difficult choice.

The university submitted a report to the Hawaii state legislature in December 2025, approximately three months after discovering the breach. This raised questions about compliance with Hawaii state law, which generally requires state agencies to report data breaches within 20 days. University officials declined to comment on the delay.

Letters notifying the 87,493 confirmed study participants were sent in February 2026, approximately six months after the breach was discovered. Additionally, the university sent emails to approximately 900,000 other individuals whose information might have been stolen.

How to Check If Your Data Was Breached

If you participated in cancer research studies conducted by the University of Hawaii Cancer Center or if you were a Hawaii resident in the 1990s when the Multiethnic Cohort Study was recruiting participants, your information may have been exposed. Here's how to verify whether you were affected:

• Check your mail for notification letters from the University of Hawaii Cancer Center sent in February 2026. The university mailed letters to 87,493 confirmed study participants whose data was definitely compromised.
• Check your email for notifications from the university. Approximately 900,000 additional individuals received emails informing them that their personal information might have been included in the historical driver's license and voter registration records that were breached.
• Visit the University of Hawaii Cancer Center's dedicated breach information website at hawaii.edu/cancercenter/incident/ for details about the incident, information about what data was compromised, and instructions for enrolling in complimentary credit monitoring services.
• If you obtained a Hawaii driver's license in the 1990s or were registered to vote in Honolulu in 1998, your information may have been included in the breached records even if you never directly participated in any Cancer Center studies, since these government records with Social Security numbers were used for participant recruitment.
• Contact the University of Hawaii Cancer Center directly if you believe you may have been affected but have not received notification. The university may still be working to compile complete contact information for all potentially affected individuals.

What to Do If Your Data Was Breached

If you received notification that your information was exposed, take immediate protective steps:

• Enroll in the complimentary credit monitoring and identity theft protection services offered by the university. The notifications included instructions for activating 12 months of free credit monitoring and one million dollars in identity theft insurance coverage. These services can alert you to suspicious activity. Do not ignore this offer, and note that enrollment deadlines typically expire within a few months.
• Place fraud alerts on your credit reports with all three major credit bureaus: Equifax, Experian, and TransUnion. A fraud alert requires creditors to verify your identity before opening new accounts in your name. You only need to contact one bureau. For stronger protection, consider placing a credit freeze, which prevents anyone from accessing your credit file to open new accounts.
• Monitor your credit reports closely for unauthorized activity. The exposure of Social Security numbers creates a significant identity theft risk. Review your credit reports from all three bureaus at least quarterly. You are entitled to one free credit report annually from each bureau through AnnualCreditReport.com.
• Be vigilant about suspicious communications. Criminals may use the stolen information to craft convincing phishing attempts claiming to be from the university, healthcare providers, or government agencies. Never provide personal information in response to unsolicited contacts.
• Consider filing your tax returns early in the tax season. Tax-related identity theft, where criminals file fraudulent returns using stolen Social Security numbers, is common. By filing early, you reduce the window for criminals to file false returns in your name.

Are There Any Lawsuits Because of the Data Breach?

As of late February 2026, no class action lawsuits have been publicly filed. However, the size of the breach affecting up to 1.15 million individuals, the exposure of Social Security numbers, and the lengthy delay between discovery and notification make class action litigation likely.

Potential legal claims could focus on several concerning aspects. The university's decision to pay the ransom raises questions about whether this encourages future attacks. The storage of decades-old government records containing Social Security numbers suggests inadequacies in data retention policies and archival security practices.

The six-month delay in notifying affected individuals could become a central issue. Hawaii state law generally requires state agencies to report breaches within 20 days. Plaintiffs' attorneys may argue that six months increased the risk to affected individuals by delaying their ability to protect themselves.

If lawsuits are successful, affected individuals could potentially recover damages for the increased risk of identity theft they now face, time and expense of monitoring credit reports, costs of credit monitoring services, and emotional distress. University officials have declined to provide breach response costs, citing pending litigation, which suggests the university anticipates legal action.

Can My Information Be Used for Identity Theft?

Yes, absolutely. The University of Hawaii breach is particularly dangerous because of Social Security number exposure. Unlike passwords or credit card numbers, Social Security numbers cannot be changed. Once exposed, they remain a permanent vulnerability that criminals can exploit for decades.

With your Social Security number, criminals can commit numerous forms of identity theft. They can open new credit card accounts, apply for loans, obtain mortgages, lease apartments, open utility accounts, and apply for government benefits in your name. Many institutions accept Social Security numbers as sufficient verification without requiring additional documentation.

Tax-related identity theft is particularly common. Criminals file fraudulent tax returns early in the tax season, claiming refunds using your Social Security number but their own bank accounts. When you file your legitimate return, it gets rejected. Resolving tax-related identity theft can take months or years.

Employment identity theft occurs when criminals use your Social Security number to obtain jobs. You may not discover this fraud until you receive IRS letters about unreported income or apply for Social Security benefits and discover someone else has been working under your number. Medical identity theft is another risk, where criminals use your information to obtain healthcare services, leaving you with bills and corrupting your medical records.

The historical nature of this data makes it valuable for synthetic identity theft, where criminals combine real Social Security numbers with fabricated details to create new identities that pass initial screening and eventually commit large-scale fraud.

What Can You Do to Protect Yourself Online?

Social Security number exposure creates permanent vulnerability. Here are steps to protect yourself:

• Treat your Social Security number as the most sensitive information you possess. Never carry your Social Security card in your wallet. Provide your Social Security number only when absolutely necessary and ask how it will be stored and protected.
• Consider obtaining an Identity Protection PIN from the IRS. This six-digit number adds security to your tax filing, preventing criminals from filing fraudulent returns in your name even with your Social Security number. Request an IP PIN through the IRS website.
• Monitor your Social Security Administration account regularly. Create an account at ssa.gov to review your earnings history and watch for signs someone else is working under your Social Security number.
• Set up account alerts for all financial accounts. Most banks offer free text or email alerts for transactions, login attempts, address changes, and account activity. These notifications allow you to catch fraud immediately.
• Be cautious about medical identity theft. Review all explanations of benefits statements carefully. Look for medical services you didn't receive, unfamiliar providers, or charges for procedures you never had.
• Regularly review credit reports from all three major bureaus for unauthorized accounts, unfamiliar inquiries, or other signs of identity theft. Take advantage of the free credit monitoring offered by the university, but don't rely solely on automated monitoring.
• Consider comprehensive identity theft protection beyond the 12 months offered by the university. Since Social Security numbers remain vulnerable permanently once exposed, long-term monitoring and protection may be worthwhile.

The University of Hawaii breach highlights the long-term risks of storing historical data containing sensitive identifiers. The exposure of up to 1.15 million Social Security numbers creates permanent vulnerability for affected individuals who must remain vigilant against identity theft for the rest of their lives.