A data breach at the University of Hawaiʻi Cancer Center exposed the Social Security numbers of as many as 1.15 million people to computer hackers, the university said Thursday, providing more details about a ransomware attack UH first reported to the Legislature in December.
The university is offering 12 months of free credit monitoring and $1 million in identity theft insurance to people potentially affected, UH said in a news release and a website set up to provide information to people potentially affected. UH has written letters to 87,493 participants of a cancer research study who might have been affected and sent emails to another 900,000 whose personal information also might have been stolen.
The breach involved primarily the center’s long-running Multiethnic Cohort Study, which began in 2013 and involved studying cancer risks among 215,000 participants, ages 45 to 75 representing five main racial and ethnic groups. Approximately 104,000 participants lived in Hawaiʻi, the rest in California. Other cancer studies looking at diet and exercise also were involved in the breach.
To recruit Hawaiʻi participants, researchers used Hawaiʻi driver’s license and Honolulu voter registration records, which at the time included social security numbers, and that information made its way into Cancer Center files, UH said in its press statement.
In August, hackers broke into Cancer Center systems, gained the ability to steal the files containing the information and encrypted the files on the Cancer Center’s servers. UH notified law enforcement and hired cybersecurity experts to get a decryption tool to unlock the files and an affirmation that the hackers had destroyed the purloined data.
“To date, there is no evidence that any of the information has been published, shared or misused,” UH said Thursday.
UH also stressed that the attack didn’t affect information related to Cancer Center clinical trials, patient care or any other Cancer Center operations. There also was no impact to UH student records, UH said.
In response to the breach, UH has taken steps to strengthen cybersecurity at the Cancer Center and across all of its campuses. At the center, UH among other things has redesigned its network, extended so-called “endpoint protection” with continual monitoring and network, and implemented stricter access controls for sensitive data. Additionally, the center has stood up panels responsible for coordinating cybersecurity related to research and the center in general.
“This cyberattack requires a comprehensive, systemwide response,” UH president Wendy Hensel said in the news release. “I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed.”
“Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi,” she added.
While Thursday’s news release provided additional information, some questions remained unanswered. UH spokesman Dan Meisenzahl declined to say, for example, how much if anything the university had paid the hackers for the decryption code needed to unlock the files, saying the news release contained all of the information UH would share at this time.
Additionally, he said, the costs of upgrading UH systems to deal with the attack aren’t final because of pending litigation. It’s also not clear why it took UH three months to report the breach to lawmakers when state law generally gives state agencies 20 days to do so.
Cyber attacks on universities are common, cybersecurity experts say, in part because of the size of their user base and the wealth of personal and research information on university servers.
Meisenzahl said UH is no exception and that it thwarts most attacks.
“Cyberattacks affecting universities and research institutions are unfortunately very common,” he said. “Like all private and public entities, big or small, UH’s networks face continuous cybersecurity threats.”
