University of Hawaii Cancer Center hit by ransomware; patient notification delayed months

Hackers broke into University of Hawaiʻi Cancer Center servers in August and exposed Social Security numbers and other personal information belonging to participants in a cancer research study, according to a report the university submitted to the Hawaii Legislature in December. Four months after discovering the breach, the university had not yet notified the individuals whose data was stolen.

The delayed disclosure raises questions about compliance with a Hawaii state law that generally requires government agencies to report data security breaches to the Legislature within 20 days of discovery. University officials declined to reveal which research project was targeted, how many study participants were affected, or whether the institution paid the hackers a ransom.

A ransomware attack struck the University of Hawaiʻi Cancer Center in August, exposing Social Security numbers and other personal data from participants in a cancer research study, according to a report the university submitted to the state Legislature in December. More than four months after discovering the breach, the university had not yet notified any of the people whose information was stolen.

UH officials declined an interview request and refused to provide basic details about the incident — including which cancer research project was affected, how many participants had Social Security numbers exposed, and whether the university paid the hackers.

Report Filed Late, with Key Information Missing

Hawaii state law generally requires government agencies to report data security breaches to the Legislature within 20 days of discovering them. The law specifies that such reports must include the number of individuals affected, a copy of the breach notification sent to those individuals, the number of people notified, and whether notification was delayed at the request of law enforcement.

UH discovered the breach in August. It filed its report with the Legislature in December. The report omitted the information the law requires. The law provides an exception to the 20-day deadline when a law enforcement agency determines that notification could impede a criminal investigation or jeopardize national security, but UH’s report made no mention of any such request.

UH spokesman Dan Meisenzhal responded to an interview request with a written statement that contained no details beyond what was already in the Legislature report.

University Engaged with Hackers

The Legislature report said the hackers broke into Cancer Center servers, encrypted files related to a cancer study, and demanded payment for a program to restore access to the files.

The university said it decided to negotiate with the attackers. “UH worked with an external team of cybersecurity experts to obtain a decryption tool and to secure destruction of the information the threat actors illegally obtained,” the university reported to the Legislature.

It is not clear how UH verified that the hackers actually destroyed their copies of the stolen data.

The FBI discourages organizations from paying ransoms to hackers. “Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved,” the agency’s cyber division states.

Chuck Lerch, chief experience officer and head of cybersecurity for HITech Hui, an IT and cybersecurity firm in Honolulu, said FBI guidance does not always match the reality facing affected organizations.

“Yeah, the FBI always says, ‘don’t pay it,’” Lerch said. “But then, you know, you have the business owner that wants to get back in business, and they want to protect their customers, and they’re going to pay it. I mean, at the end of the day, FBI doesn’t have the decryption keys. They’re not going to help you.”

Lerch acknowledged that paying a ransom carries its own risks — hackers may not deliver working decryption tools or may keep copies of stolen data. He said many ransomware operators nevertheless follow an informal code of conduct, viewing reliability as essential to sustaining what he called “the most profitable business in the history of the world.”

“It’s an honor thing to some degree,” Lerch said, “but you never know.”

He said the most effective approach remains prevention.

“Usually an ounce of prevention is definitely worth a pound of rebuilding,” Lerch said. “So it’s, ‘You’re gonna pay now or pay later.’”

Notification and Remediation

UH said it is working to compile names and addresses for study participants who may have been affected, and plans to offer credit monitoring and identity theft prevention services once notifications go out. The university did not specify when those notifications would be sent.

Since the breach, the Cancer Center has reset passwords, installed protection software with continuous monitoring, rebuilt compromised systems, and completed a third-party assessment of the new security controls, according to the Legislature report.