Hackers accessed University of Hawaii Cancer Center patient data, AP reports

Hackers accessed computer systems holding patient data for a University of Hawaiʻi Cancer Center study in August, but the university had not immediately notified participants, the Associated Press reported Monday. Social Security numbers and other personal information from people in the study were exposed in the breach, AP said.

AP reported that UH outlined the ransomware attack in a report to the state Legislature in December. The report, AP said, appeared to be submitted later than required under state law and lacked information the law requires.

UH officials declined an interview request and, AP said, refused to provide key details including which cancer research project was affected, how many participants’ Social Security numbers were exposed, and whether the university paid hackers to regain access to Cancer Center research files. AP also reported that it remained unclear how UH ensured the hackers destroyed their copies of the purloined data.

According to the legislative report described by AP, hackers broke into Cancer Center servers, encrypted files related to a cancer study, and demanded payment for a program to decrypt the files. AP included UH language from the report saying, “UH made the difficult decision to engage with the threat actors in order to protect the individuals whose senstive (sic) information may have been compromised,” and adding: “Keeping external stakeholders informed,” UH said, “UH worked with an external team of cybersecurity experts to obtain a decryption tool and to secure destruction of the information the threat actors illegally obtained.”

AP said UH was working to compile names and addresses to notify study participants who might have been affected. The university planned to offer credit monitoring and identity theft prevention to those whose personal information was exposed, AP reported.

In the meantime, AP said, the Cancer Center reset passwords, installed protection software with continual monitoring, rebuilt compromised systems, and conducted a third-party assessment of new security controls.

AP said questions remained about the timeline and the legislative disclosure. State law generally requires government agencies to submit security-breach reports to the Legislature within 20 days of discovering a breach and to include details such as the number of individuals affected, a copy of the notice issued, the number of notices sent, and whether notice was delayed due to law enforcement considerations. AP reported that UH discovered the breach in August and filed the legislative report in December.

The law includes an exception to the 20-day deadline when a law enforcement agency tells an organization that notification may impede a criminal investigation or jeopardize national security, AP said. AP reported the university’s legislative report makes no mention of any such request.

AP also reported that it was unclear how UH decided to engage with the hackers. The FBI discourages paying ransoms, with its cyber division warning that paying emboldens attackers and creates a profitable environment for other criminals, AP said. But AP reported that Chuck Lerch, chief experience officer and head of cybersecurity for HITech Hui in Honolulu, said that FBI guidance does not resolve the practical problem of recovering encrypted data.

AP quoted Lerch saying, “Yeah, the FBI always says, ‘don’t pay it,’” adding that a business owner wants to get back in business and protect customers, and that “FBI doesn’t have the decryption keys. They’re not going to help you.” AP also quoted Lerch describing ransomware decision-making as uncertain: “It’s an honor thing to some degree,” he said, “but you never know.”

Lerch told AP that, despite the risk that attackers may not keep promises about providing keys and destroying stolen data, prevention is often the more cost-effective approach. AP quoted him saying, “Usually an ounce of prevention is definitely worth a pound of rebuilding,” and describing the choice as “You’re gonna pay now or pay later.”

In response to AP’s request for an interview, AP reported that UH spokesman Dan Meisenzhal provided a statement without additional details beyond those the university reported to the Legislature. The AP report said the statement left multiple questions unanswered, including the project affected and the scope of exposure.