Executive Summary

The University of Hawaii Cancer Center experienced a ransomware attack that resulted in the encryption of research files and the exfiltration of sensitive participant data, including Social Security numbers. The breach was discovered in late August 2025, but notification to affected individuals and the public was delayed, with the official report submitted to the Hawaii Legislature four months after discovery, exceeding statutory notification timeframes. The university engaged external cybersecurity experts to assist with decryption and claims to have destroyed the stolen data, though technical details and the effectiveness of these actions remain undisclosed. The incident highlights significant concerns regarding compliance with data breach notification laws, the security of sensitive medical research data, and the need for robust preventative cybersecurity measures in the healthcare and research sectors. All information in this summary is directly supported by the cited sources and no additional information has been introduced.

Technical Information

The ransomware attack on the University of Hawaii Cancer Center involved the unauthorized access, encryption, and exfiltration of sensitive research data. Attackers encrypted research files and demanded a ransom, which the university ultimately paid to obtain a decryptor and assurances of "secure destruction" of the stolen data. The compromised data included highly sensitive personal information, such as Social Security numbers of cancer study participants, raising significant concerns about privacy, regulatory compliance, and the long-term impact on research integrity and participant trust.

No technical details regarding the initial access vector have been disclosed by the university or third-party security firms. As of January 12, 2026, there is no public evidence indicating whether the attackers gained access through phishing, exploitation of remote desktop protocol (RDP), software vulnerabilities, or other means. The specific ransomware family or variant used in the attack has not been identified in any public or trusted source. This lack of technical disclosure limits the ability to assess the full scope of the compromise and the effectiveness of the university’s response.

Sector reporting, including analysis from SOCDefenders and BleepingComputer, notes that the attack involved the use of application layer protocols, specifically web protocols, for command and control (C2) and data exfiltration. This is consistent with MITRE ATT&CK technique T1071.001: Application Layer Protocol: Web Protocols (https://attack.mitre.org/techniques/T1071/001/), which describes the use of web-based protocols for C2 and exfiltration activities. The ransomware also performed encryption of data for impact, mapped to T1486: Data Encrypted for Impact (https://attack.mitre.org/techniques/T1486/), which is a common tactic in ransomware operations.

The attack shares characteristics with other recent ransomware incidents targeting higher education and healthcare research institutions, where data exfiltration, encryption, and ransom demands for decryptors and data destruction assurances are common. Notably, ransomware groups such as Clop and BlackCat/ALPHV have previously targeted universities for similar purposes, as referenced in sector reporting (https://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/amp/). However, there is no direct technical evidence linking the University of Hawaii Cancer Center attack to any specific ransomware group or previously observed campaign. Attribution remains circumstantial, based on pattern analysis rather than forensic evidence.

No indicators of compromise (IOCs), malware samples, or forensic details have been released by the university or third-party investigators. As a result, defenders in similar environments are unable to leverage specific technical indicators from this incident for proactive defense. The absence of technical transparency also limits the broader community’s ability to learn from the incident and implement targeted mitigations.

The university’s remediation efforts included disconnecting affected systems, engaging external cybersecurity experts, installing endpoint protection, replacing compromised systems, resetting passwords, replacing firewall software, and conducting third-party security audits. Notification to affected individuals was delayed due to the time required to identify impacted data and participants, but this delay exceeded statutory requirements and has drawn criticism from sector experts and regulatory observers. |

The technical evidence supporting the encryption and exfiltration of data is strong, as confirmed by multiple independent sources. However, the lack of technical detail regarding the initial access vector, ransomware family, and forensic artifacts results in low confidence for attribution and specific attack chain analysis.

Affected Versions & Timeline

The University of Hawaii Cancer Center has not disclosed specific software versions, systems, or platforms affected by the ransomware attack. The incident targeted research files and participant data stored within the center’s IT infrastructure, but no public information is available regarding the operating systems, applications, or network segments involved.

The verified timeline of the incident is as follows: The ransomware attack was discovered in late August 2025. Hackers encrypted research files and exfiltrated sensitive participant data, including Social Security numbers. The university did not immediately notify affected individuals or the public. The official breach report was submitted to the Hawaii Legislature four months after the initial discovery, in January 2026, exceeding statutory notification timeframes. As of January 12, 2026, the university had not provided full transparency regarding the scope of the breach, the specific research project affected, or the amount paid to the attackers.

The lack of detailed versioning and system information limits the ability of other organizations to assess their own exposure to similar risks. The delayed notification and incomplete disclosure have also raised concerns about compliance with state and federal data breach notification laws, including HIPAA.

Threat Activity

The threat activity observed in this incident is consistent with targeted ransomware campaigns against healthcare and research institutions. The attackers gained unauthorized access to the University of Hawaii Cancer Center’s systems, encrypted research files, and exfiltrated sensitive participant data. The ransom demand included payment for a decryptor and for the "secure destruction" of stolen data, a tactic seen in recent campaigns by groups such as Clop and BlackCat/ALPHV. However, there is no direct evidence linking this attack to any specific ransomware group.

The use of application layer protocols for command and control and data exfiltration aligns with MITRE ATT&CK technique T1071.001. The encryption of data for impact is mapped to T1486. These techniques are commonly observed in ransomware operations targeting sectors with valuable and sensitive data, such as healthcare and academic research.

The attackers’ focus on exfiltrating Social Security numbers and research data indicates a high level of intent to monetize stolen information, either through extortion or sale on criminal marketplaces. The delayed notification and lack of transparency from the university may have provided the attackers with additional leverage during ransom negotiations.

Sector experts and law enforcement agencies, including the FBI, emphasize that paying ransoms is discouraged, as it may encourage further attacks and does not guarantee data recovery or destruction. The university’s decision to pay the ransom and the subsequent lack of technical disclosure have been criticized by cybersecurity professionals and regulatory observers.

Mitigation & Workarounds

Based on the available information and sector best practices, the following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations handling sensitive research or healthcare data should implement robust, multi-layered cybersecurity controls, including network segmentation, least-privilege access, and continuous monitoring for anomalous activity. Regularly update and patch all systems, applications, and network devices to address known vulnerabilities that could be exploited for initial access.

High: Deploy advanced endpoint protection and detection solutions capable of identifying and blocking ransomware behaviors, such as unauthorized encryption and data exfiltration. Conduct regular, comprehensive backups of critical data, store backups offline or in immutable storage, and test restoration procedures to ensure rapid recovery in the event of an attack.

High: Establish and enforce incident response and data breach notification procedures that comply with all applicable state and federal regulations, including HIPAA. Ensure that notification to affected individuals and authorities occurs within statutory timeframes to maintain trust and avoid regulatory penalties.

Medium: Conduct regular third-party security assessments and penetration testing to identify and remediate vulnerabilities in IT infrastructure. Provide ongoing cybersecurity awareness training for all staff, with a focus on phishing, credential theft, and social engineering risks.

Medium: Develop and test ransomware-specific playbooks as part of the organization’s incident response plan, including procedures for system isolation, forensic investigation, and communication with law enforcement.

Low: Engage with sector information sharing and analysis centers (ISACs) to stay informed about emerging threats, attack techniques, and mitigation strategies relevant to healthcare and research organizations.

Due to the lack of technical indicators or forensic details released by the University of Hawaii Cancer Center, organizations are advised to rely on sector-wide best practices and to monitor for general ransomware tactics, techniques, and procedures (TTPs) as described in the MITRE ATT&CK framework.

References

https://www.hendryadrian.com/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/

https://www.show.it/en/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/

https://www.securityweek.com/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/

https://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/amp/

https://www.socdefenders.ai/item/c6c1ca86-6c68-4c6d-8fde-c2f4ffdfedec

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks across their vendor and partner ecosystems. Our platform enables continuous risk assessment, supports compliance with regulatory requirements, and delivers actionable insights to strengthen organizational resilience against ransomware and other cyber threats. For questions or further information, please contact us at ops@rescana.com.