University of Hawaiʻi Cancer Center's 2025 Ransomware Attack: A Wake-Up Call for Research Institutions
Executive Summary
In August 2025, the University of Hawaiʻi Cancer Center's Epidemiology Division experienced a ransomware attack that encrypted and potentially exfiltrated sensitive data. The breach affected approximately 1.24 million individuals, exposing personal information such as Social Security numbers, driver's license numbers, and health-related data. The university engaged with cybersecurity experts and the attackers to obtain a decryption tool and secure assurances that the stolen data was destroyed. There was no impact on clinical operations, patient care, or student records. (hawaii.edu)
This incident underscores the growing threat of ransomware attacks targeting research institutions and the critical importance of robust cybersecurity measures to protect sensitive personal and health information. Organizations must remain vigilant and proactive in implementing comprehensive security protocols to mitigate such risks.
Why This Matters Now
The University of Hawaiʻi Cancer Center's ransomware attack highlights the escalating threat to research institutions and the urgent need for enhanced cybersecurity measures to protect sensitive data.
Attack Path Analysis
In August 2025, attackers gained unauthorized access to the University of Hawaiʻi Cancer Center's Epidemiology Division servers, likely through exploiting vulnerabilities or compromised credentials. They escalated privileges to access sensitive research data, then moved laterally within the network to identify and exfiltrate files containing personal information of nearly 1.2 million individuals. The attackers established command and control channels to manage the ransomware deployment, encrypting vast amounts of data. They exfiltrated sensitive information, including Social Security numbers and health data, before deploying ransomware to encrypt the compromised systems. The impact was significant, leading to data breaches and operational disruptions, prompting the university to engage with the attackers to obtain decryption tools and assurances of data destruction.
Kill Chain Progression
Initial Compromise
Description
Attackers gained unauthorized access to the University of Hawaiʻi Cancer Center's Epidemiology Division servers, likely through exploiting vulnerabilities or compromised credentials.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Data Encrypted for Impact
Inhibit System Recovery
Impair Defenses: Disable or Modify Tools
Indicator Removal on Host: Clear Windows Event Logs
Remote Services: Remote Desktop Protocol
Windows Management Instrumentation
File and Directory Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – System Monitoring
Control ID: SI-4
PCI DSS 4.0 – Audit Log Integrity
Control ID: 10.5.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: Pillar 3: Data
HIPAA – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Ransomware targeting cancer research facilities with patient health data creates massive HIPAA compliance risks and operational disruption across medical institutions.
Higher Education/Acadamia
University systems storing sensitive research data and personal records face ransomware threats requiring enhanced egress security and zero trust segmentation.
Research Industry
Epidemiological research organizations handling historical health registries need improved encrypted traffic controls and threat detection to prevent data exfiltration.
Government Administration
State agencies providing driver's license and voter registration data to researchers require stronger multicloud visibility and anomaly detection capabilities.
Sources
- UH Cancer Center data breach affects nearly 1.2 million peoplehttps://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-ransomware-attack-affects-nearly-12-million-people/Verified
- Notice of UH Cancer Center cyberattack affecting personal informationhttps://www.hawaii.edu/news/2026/02/27/notice-of-cyberattack-uh-cancer-center/Verified
- Data breach reported by University of Hawaiʻi Cancer Centerhttps://www.upguard.com/news/university-of-hawaii-cancer-center-data-breach-2026-03-02Verified
- 1.2 Million Affected by University of Hawaii Cancer Center Data Breachhttps://www.securityweek.com/1-2-million-affected-by-university-of-hawaii-cancer-center-data-breach/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly limited the attacker's ability to move laterally and exfiltrate sensitive data during the University of Hawaiʻi Cancer Center breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained, reducing the likelihood of unauthorized entry.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation attempts could have been restricted, limiting access to sensitive data.
Control: East-West Traffic Security
Mitigation: Lateral movement within the network may have been limited, reducing the attacker's ability to access multiple systems.
Control: Multicloud Visibility & Control
Mitigation: Establishment of command and control channels could have been detected and disrupted, limiting attacker coordination.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may have been identified and blocked, reducing the risk of sensitive information being transmitted out.
The scope of system encryption and operational disruption could have been limited, reducing overall impact.
Impact at a Glance
Affected Business Functions
- Research Data Management
- Participant Recruitment
- Data Analysis
Estimated downtime: 30 days
Estimated loss: N/A
Personal information of approximately 1.24 million individuals, including Social Security numbers, driver's license numbers, voter registration records, and health-related information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to sensitive data.
- • Enhance East-West Traffic Security to monitor and control internal network communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and mitigate potential threats promptly.
