Even in the world of cyber-criminals, there are some targets that simply won’t earn you any admiration. One such case is a cyber attack involving the University of Hawaii’s Cancer Center Epidemiology Division, with the data targeted including the social security numbers and driver’s licenses of somewhere between 87K (MEC Study pool) to 1,15 million individuals.
Fortunately, the attack had no impact on patient care or information held by Clinical Trials or student records, but the exact nature of the ransomware attack lends uncertainty to how much, if any of the data was properly exfiltrated before decryption. The attack occurred in August 2025 and, at least to date, no confirmed leak or abuse of the data has yet been confirmed.
Even so, the University did put out a notice for potentially affected individuals, offering 12 months of free credit monitoring and $1 million in identity theft insurance for those whose data was targeted by the ransomware incident.
This is the ideal response and it should help bring peace of mind to those whose data was managed by the Cancer Center Epidemiology Division, though the possibility of a silent cache of 1.2 million stolen identity details is quite chilling. Hopefully, impacted users take steps to enter these programs sooner rather than later. After all, the data was only supposedly disposed of after the University of Hawaii paid up the ransomware gang, meaning there’s no real guarantee that the attackers didn’t simply pocket the money and the stolen information. “Honor among thieves” may not apply when the attackers have already targeted such a sensitive operation.
Sadly, this not the first time that a ransomware game has been this heartless. Last year, a data breach at DaVita exposed sensitive information of over 2.7 million kidney dialysis patients. In another incident, a study found that hospitals hit by cyber attacks witnessed increased death rates among patients with heart issues. Then there was that time with the LockBit ransomware gang breach The Hospital for Sick Children, also known as SickKids (though at least the gang apologized after). The list goes on.
In a statement onHawaii.edu, UH President Wendy Hensel said, “This cyberattack requires a comprehensive, system-wide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed. We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is our mission and our responsibility to the people of Hawaii.”
In a rapidly-evolving era of AI-driven ransomware and malware in general, one hopes that Wendy Hensel’s statements prove true and that the University is strengthening its defenses against cyber attacks. It and other places with substantial patient databases like it will need to remain on the cutting edge of cybersecurity practices to avoid the fallout of attacks like these.
Image Credit: Sdkb on WikiMedia Commons (CC 4.0 License), Mohamed_hassan on Pixabay
