Notice of UH Cancer Center cyberattack affecting personal information

The University of Hawaiʻi Cancer Center’s Epidemiology Division was the victim of a cyberattack that possibly exposed records containing Social Security numbers and driver’s license numbers, mostly from Hawaiʻi DL records collected in 2000 from the State Department of Transportation and City and County of Honolulu voter registration records collected in 1998.

The Hawaiʻi DL and Honolulu voter registration records were primarily used to recruit research study participants, principally for the Multiethnic Cohort Study. The MEC Study was established in 1993 and recruited more than 215,000 men and women, aged 45 to 75 years, between 1993 and 1996 from five main ethnic/racial groups who were residents of Hawaiʻi and Los Angeles, California. Some of the exposed files also included research data with health-related information on study participants and certain other individuals. 

The MEC Study participants potentially impacted a total 87,493 individuals. Additional individuals whose personal information may have been included in the historical driver’s license and voter registration records with SSN identifiers number approximately 1.15 million.

There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center.  There was no impact to UH student records.

“The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,” said Naoto T. Ueno, director of the UH Cancer Center. “We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.”

What happened and data involved

During the cyberattack, an unauthorized third party encrypted and potentially exfiltrated data containing personal information. The university notified law enforcement and worked with third-party cybersecurity experts to obtain a decryption tool, and secure an affirmation that any information obtained was destroyed. To date, there is no evidence that any of the information has been published, shared or misused.

The personal information affected by the incident was located in a subset of research files stored on certain servers that support the UH Cancer Center’s epidemiology research operations, including: 

1. Two files containing names in combination with SSNs: the first, containing DL numbers, was collected in the year 2000 from the State Department of Transportation; the second, containing voter registration information, was collected in the year 1998 from the City & County of Honolulu. At that time, DL numbers in Hawaiʻi  were typically based on SSNs, and City and County of Honolulu voter registration information also often contained SSNs. 
2. Files for study participants in the long-running Multiethnic Cohort (MEC) Study (recruitment for participants in Hawaiʻi and Los Angeles, California from 1993 to 1996) and three other epidemiological studies of diet and cancer focusing on colorectal adenomas (recruitment for participants 1995–2007) and colon cancer (recruitment for participants 1994–2005), which also had SSNs and/or DL numbers in combination with names. They may also have contained questionnaires and other study information on participan t health, as well as information pulled from national and state public health registries.
3. Two files that contain SSNs in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999, and the other in the mid-2000s. The impacted files may also have contained research registry information about individuals’ health.

Investigations are still ongoing to assess other sensitive information that may have been impacted. UH is confident that any other personal information (SSNs or drivers’ license numbers in combination with names) found will be nominal and, where possible, those individuals will receive separate notice.

Assistance for potentially affected individuals

Notification letters offering credit monitoring and identity protection services were mailed on February 23rd to 87,493 MEC Study participants, the first group of potentially affected individuals identified. The university is now providing notice to all others potentially impacted via email (approximately 900,000 email addresses have been located) and this public announcement and the UH Cancer Center Cyberattack Information and Resource Website.  

To assist those who may have been impacted, UH has established dedicated call centers where individuals can:

• Verify whether their information may have been involved.
• Enroll in 12 months of free credit monitoring and $1 million in identity theft insurance

Call centers have been established for both groups and will open Monday, March 2:

• Call Center: 844-443-0842
• Hours: Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays)
  • March 2-6, 2026, 4:30 a.m. to 5 p.m., Hawaiʻi Standard Time
  • Starting March 9 (due to daylight savings time), 3:30 a.m. to 4 p.m. Hawaiʻi Standard Time

For additional details and enrollment information, visit the UH Cancer Center Cyberattack Information and Resource Website

Official updates will be posted at the UH Cancer Center Cyberattack Information and Resource Website, UH Cancer Center Website and UHNews.org. Please disregard any other websites, social media or messages claiming to represent UH that request personal information.

Security improvements and investigations

The UH Cancer Center has implemented extensive cybersecurity and governance enhancements including:  redesigning and hardening UHʻs network, extending the deployment of modern endpoint protection with 24/7 monitoring, upgrading hardware, migrating sensitive research servers into the UH Information Technology Services data center, implementing stricter access controls for sensitive data, and enforcing cybersecurity training for Cancer Center staff.  In addition, internal reviews are ongoing and independent third parties have been engaged to investigate the cyberattack and assess and validate the security controls for the entire UH Cancer Center.  

To increase information security oversight and awareness across the entire system, UH has taken the following actions:

• Created a new Information Security Governance Council for Research responsible to coordinate research‑related cybersecurity.
• Established a new Information Security Task Force responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise‑level controls and investments.

“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said UH President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”