The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year.

Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week.

Part of the breach was traced back to a Multiethnic Cohort (MEC) Study established in 1993. The university used driver’s license numbers and voter registration records to recruit participants in the study. Some of the files exposed included health-related information.

In addition to data on MEC Study participants, files related to three other epidemiological studies of diet and cancer were accessed. Investigations into the breach are still ongoing to figure out if other sensitive information was accessed. 

In total, 87,493 people who participated in the study had information stolen but the university said “additional individuals whose personal information may have been included in the historical driver’s license and voter registration records with SSN identifiers number approximately 1.15 million.”

In January, the university sent a report to the state legislature that said the cyber incident was first discovered on August 31, 2025. 

“Due to the extensiveness of the encryption by the threat actors, it took some time for UH to restore the affected systems and be in a position to assess the impact to data,” the university said in the 3-page report. 

“While the investigation was underway, UH made the difficult decision to engage with the threat actors in order to protect the individuals whose sensitive information may have been compromised.”

The information stolen was located on certain servers that support the University of Hawaiʻi Cancer Center’s epidemiology research operations in a subset of research files. The ransomware attack did not affect information held by the University of Hawaiʻi Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the Cancer Center. 

Naoto Ueno, director of the University of Hawaiʻi Cancer Center, apologized for the incident last week and said the organization was “committed to transparency.”

The university said the attackers encrypted and likely exfiltrated data, prompting them to notify law enforcement and hire cybersecurity experts to resolve the situation. The cybersecurity firm obtained a decryption tool and secured “an affirmation that any information obtained was destroyed.” 

University officials claimed there is “no evidence that any of the information has been published, shared or misused.” The group responsible for the attack was not identified. 

“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said University of Hawaiʻi President Wendy Hensel. 

The University of Hawaii system comprises three universities, seven community colleges and an employment training center alongside several research facilities spread across six islands. It serves about 50,000 students.

In 2023, Hawaiʻi Community College — an arm of the University of Hawaiʻi — dealt with its own ransomware attack and also paid a ransom to the NoEscape ransomware gang. The information of about 28,000 people was impacted by the 2023 attack.