Ransomware Attack Exposes 1.2 Million University of Hawaii Cancer Center Records

Ransomware Attack Exposes 1.2 Million University of Hawaii Cancer Center Records 🚨

The University of Hawaii’s (UH) Cancer Center has revealed that it was the victim of a ransomware attack dating back to last summer, resulting in the exposure of sensitive records for 1.2 million individuals. In a public release on February 27, the university disclosed that the attack, first identified on August 31, 2025, was limited to research operations and did not affect clinical operations or patient care.

Initially, UH believed that only research files related to a specific cancer study were compromised. However, further investigation uncovered a trove of personal information dating back to the 1990s, including Social Security numbers, state driver’s license numbers, and city of Honolulu voter registration records. The university engaged with cybersecurity experts to obtain a decryption tool, which helped in destroying the illegally obtained information.

Key Insights for Security Professionals 🔍

Security experts noted that the extensive encryption implemented by the attackers delayed the restoration of affected systems. Jason Soroko, a senior fellow at Sectigo, emphasized that when adversaries encrypt not only primary data but also indexing systems and backups, the forensic process becomes complex. This often forces security teams into a recovery phase, requiring them to rebuild systems and piece together fragmented data before notifying affected individuals.

Michael Bell, CEO at Suzu Labs, highlighted that UH was unable to assess what was compromised until they decrypted the servers. This led to the discovery of 1990s-era research files containing 1.2 million Social Security numbers. Bell pointed out that the encryption delay was significant, but the failure to maintain a proper data inventory exacerbated the exposure.

Recommendations for Organizations 🛡️

Organizations should treat credential exposure as an ongoing issue. John Bambenek, president at Bambenek Consulting, advised that many breach notification laws include a “safe harbor” provision, which may exempt organizations from notifying individuals if strong encryption protects the underlying data. This means that the attackers may have had access to enough data for identity or credit fraud for several months.

To mitigate risks, security teams must enforce aggressive network segmentation and deploy immutable, offline backups. Implementing certificate-based authentication and automated certificate lifecycle management can help organizations revoke compromised credentials and identify anomalous encrypted traffic.

For more details, read the complete article here: Read full article