Executive Summary
In August 2025, the University of Hawaii Cancer Center experienced a ransomware incident that resulted in threat actors encrypting systems associated with a specific research project. The intrusion led to the exfiltration and encryption of files, some of which dated back to the 1990s and included research participant data containing Social Security numbers, predating modern de-identification practices. While only research files and not clinical or patient treatment data were affected, the disruption necessitated a comprehensive remediation effort including system replacements, forensic investigations, ransomware payment for decryption, and negotiations for deletion of exfiltrated information.
This incident underscores the targeting of higher-education and research organizations by ransomware attackers seeking both data and financial gain. With universities increasingly storing decades-old PII, and ransomware groups escalating both exfiltration and extortion, the breach exemplifies the urgency of robust detection, legacy data management, and compliance disciplines in the education and research sector.
Why This Matters Now
The University of Hawaii Cancer Center breach highlights persistent vulnerabilities in research environments, especially related to legacy data containing sensitive PII. As ransomware operators continue to target under-protected sectors, academic organizations face urgent pressure to modernize security controls, enhance east-west security, and ensure historical records are safeguarded against evolving extortion tactics.
Attack Path Analysis
Attackers likely gained initial access through a vulnerable research system, possibly via phishing or exposed credentials. After establishing a foothold, they escalated privileges to access sensitive research files. Using lateral movement techniques, they traversed internal systems to locate and aggregate historical data. They established command and control channels, maintaining persistence and issuing commands to compromised assets. The attackers exfiltrated documents containing personally identifiable information before deploying ransomware to encrypt files. The impact included major operational disruption and data exposure, forcing victim engagement and ransom payment.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a vulnerable research system or user, possibly via phishing or exposed credentials, to gain a foothold in the Cancer Center environment.
MITRE ATT&CK® Techniques
Techniques are mapped for detection, SEO, and filtering; full enrichment with STIX/TAXII data is possible in future iterations.
Exploit Public-Facing Application
Valid Accounts
Phishing
Command and Scripting Interpreter
Data Encrypted for Impact
Exfiltration Over C2 Channel
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 Rev.5 – Incident Handling
Control ID: IR-4
CISA ZTMM 2.0 – Asset Management
Control ID: ID.AM-1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
NIS2 Directive (EU) – Cybersecurity Risk Management Measures
Control ID: Article 21
PCI DSS v4.0 – Security Events Monitoring
Control ID: 10.2.5
HIPAA Security Rule – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Universities face critical ransomware exposure targeting research data and legacy systems, requiring enhanced endpoint protection, segmentation, and encrypted traffic monitoring capabilities.
Health Care / Life Sciences
Cancer research centers vulnerable to data exfiltration attacks compromising patient information, demanding HIPAA-compliant threat detection and secure hybrid connectivity solutions.
Research Industry
Research organizations storing historical participant data at risk from ransomware gangs exploiting weak east-west traffic security and inadequate egress filtering controls.
Airlines/Aviation
Aviation sector experiencing parallel cyberattacks disrupting IT systems, highlighting need for multicloud visibility, anomaly detection, and resilient operational security frameworks.
Sources
- University of Hawaii Cancer Center hit by ransomware attackhttps://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/Verified
- Report to the 2026 Legislature on Data Exposure at the University of Hawaiʻi – Cancer Centerhttp://www.hawaii.edu/govrel/docs/reports/2026/hrs487n-4_2026_cancer-center-exposure_report_508.pdfVerified
- Hackers accessed University of Hawaii Cancer Center patient data; they weren’t immediately notifiedhttps://www.wcbi.com/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The incident demonstrates how segmentation, east-west traffic security, egress policy enforcement, and real-time anomaly detection—core CNSF and zero trust controls—could have restricted attacker movement, detected abnormal behavior, and minimized data loss during each kill chain stage.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Real-time inline policy enforcement would block unauthorized initial access.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation limits privilege expansion to only necessary resources.
Control: East-West Traffic Security
Mitigation: Unapproved east-west movement is detected and blocked between sensitive workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous outbound traffic patterns trigger alerts for timely incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Exfiltration attempts are blocked or closely monitored based on strict outbound policy.
Broad operational visibility accelerates incident response and limits ransomware effects.
Impact at a Glance
Affected Business Functions
- Research Operations
Estimated downtime: 30 days
Estimated loss: $500,000
Personal information, including Social Security numbers from the 1990s, of cancer study participants was accessed and potentially exfiltrated.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and microsegmentation to limit lateral movement between research networks and legacy data stores.
- • Enforce granular egress policies and outbound filtering to block data exfiltration attempts by unauthorized processes or users.
- • Implement comprehensive east-west traffic inspection to detect and stop lateral pivoting by threat actors within internal environments.
- • Integrate real-time threat detection and anomaly response to rapidly discover and contain ongoing attacks before data theft or encryption can occur.
- • Continuously audit and monitor all cloud, on-prem, and hybrid infrastructures for policy drift or unauthorized changes affecting sensitive workloads.
