University of Hawaii Cancer Center Quietly Managed a Ransomware Breach for Months Before Telling the Public

The University of Hawaii Cancer Center is facing growing scrutiny after quietly navigating a ransomware attack that compromised decades old cancer research data, then waiting months to inform regulators and affected individuals.

According to a report filed with the Hawaii state legislature in December, attackers gained unauthorized access to servers supporting cancer research operations in late August. The intruders encrypted systems, disrupted access to research files, and obtained copies of sensitive personal information tied to study participants, including Social Security numbers that dated back to the 1990s.

While the university says there was no impact on patient care or clinical operations, the breach struck at the core of its research infrastructure. The compromised files were linked to a long running cancer study and contained identifiers once used before modern research anonymization standards became common practice.

What has raised alarms among lawmakers and security experts is not only the exposure itself, but the timeline. Hawaii law generally requires disclosure of such incidents within 20 days. The university did not notify the public or affected individuals until December, roughly four months after discovering the attack.

University officials attributed the delay to the scale of the damage. The attackers’ encryption reportedly made systems inaccessible for weeks, slowing forensic analysis and delaying the university’s ability to determine which files had been accessed or taken. During that period, the institution chose to engage directly with the attackers, working with outside cybersecurity firms to obtain a decryption tool and to seek assurances that stolen data would be destroyed.

That strategy has drawn sharp criticism.

“The University of Hawaii (UH) Cancer Center's four-month delay in announcing its August ransomware attack perfectly illustrates how operational failures can trigger a second crisis, this time involving legal and public trust,” said Damon Small, a member of the board of directors at Xcape, Inc.

“By focusing on restoring systems and negotiating with the attackers instead of adhering to Hawaii's 20-day reporting requirement, the University essentially kept study participants in the dark while their Social Security numbers were potentially circulating on the dark web.”

Small questioned the value of the university’s reliance on attacker assurances. “UH decided to ‘engage with the threat actors’ for a decryption tool and to ensure the ‘secure destruction’ of stolen data,” he said. “This may have helped recover the systems but offers no assurance that the stolen information wasn't copied, resold, or kept.”

The university has not disclosed whether a ransom was paid, how much it may have been, or how it verified the alleged destruction of the data. Those omissions, Small argues, have compounded skepticism. “The lack of transparency regarding the ransom and the specific affected research projects has increased skepticism among state legislators,” he said.

Michael Bell, founder and CEO of Suzu Labs, said the delay itself is indefensible regardless of technical complexity. “Four months between incident and disclosure is a problem regardless of the investigation complexity,” Bell said. “Hawaii law sets a 20-day deadline for a reason. Affected individuals need time to protect themselves, and that clock starts when they're notified, not when the organization finishes their internal process.”

Bell also took aim at the idea that attackers can be trusted to erase stolen information. “The ‘secure destruction’ language should raise skepticism,” he said. “There's no way to verify that attackers actually deleted stolen data. Once data leaves your environment, you've lost control of it permanently. Paying for a deletion promise gives you a receipt, not a guarantee.”

Beyond the immediate breach, experts say the incident exposes a deeper, systemic problem across academic research institutions. The compromised files included Social Security numbers used decades ago as participant identifiers, data that arguably should have been purged or reidentified long before the attack.

“The 1990s files containing Social Security numbers highlight a persistent problem,” Bell said. “Organizations hold data far longer than they need it, often without knowing what they have. Legacy data retention creates liability that compounds over time.”

The university has outlined a series of remediation steps, including rebuilding systems, resetting credentials, deploying endpoint protection with continuous monitoring, and conducting third party security assessments. It has also committed to offering credit monitoring and identity theft protection to affected individuals once notifications are issued.

Still, for critics, the broader lesson is about accountability in an era where ransomware attacks are no longer rare shocks but expected threats.

“For institutions handling sensitive health data, the ‘fix it first, tell later’ approach is no longer acceptable,” Small said. “Silence after a breach doesn’t protect victims; it exposes them.”