The University of Hawaiʻi Cancer Center’s Epidemiology Division was the victim of a cyberattack that possibly exposed records containing Social Security numbers (SSNs) and driver’s license (DL) numbers, mostly from Hawaiʻi DL records collected in 2000 from the State Department of Transportation (when identifiers were usually SSNs) and City and County of Honolulu voter registration records collected in 1998 (also when identifiers were usually SSNs).
The Hawaiʻi DL and Honolulu voter registration records were primarily used to recruit research study participants, principally for the Multiethnic Cohort (MEC) Study. The MEC Study was established in 1993 and recruited more than 215,000 men and women, aged 45 to 75 years, between 1993 and 1996 from five main ethnic/racial groups who were residents of Hawaiʻi and Los Angeles, California. Some of the exposed files also included research data with health-related information on study participants and certain other individuals.
The MEC Study participants potentially impacted a total 87,493 individuals. Additional individuals whose personal information may have been included in the historical driver’s license and voter registration records with SSN identifiers number approximately 1.15 million.
There was no impact to information held by the 糖心Vlog官方 Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the 糖心Vlog官方 Cancer Center. There was no impact to 糖心Vlog官方 student records.
“The 糖心Vlog官方 Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,” said Naoto T. Ueno, director of the 糖心Vlog官方 Cancer Center. “We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.”
What happened and data involved
During the cyberattack, an unauthorized third party encrypted and potentially exfiltrated data containing personal information. The university notified law enforcement and worked with third-party cybersecurity experts to obtain a decryption tool, and secure an affirmation that any information obtained was destroyed. To date, there is no evidence that any of the information has been published, shared or misused.
The personal information affected by the incident was located in a subset of research files stored on certain servers that support the 糖心Vlog官方 Cancer Center’s epidemiology research operations, including:
- Two files containing names and date-of-births in combination with SSNs: the first, containing DL numbers, was collected in the year 2000 from the State Department of Transportation; the second, containing voter registration information, was collected in the year 1998 from the City & County of Honolulu. At that time, DL numbers in Hawaiʻi were typically based on SSNs, and City and County of Honolulu voter registration information also often contained SSNs.
- Files for study participants in the long-running Multiethnic Cohort (MEC) Study (recruitment for participants in Hawaiʻi and Los Angeles, California from 1993 to 1996) and three other epidemiological studies of diet and cancer focusing on colorectal adenomas (recruitment for participants 1995–2007) and colon cancer (recruitment for participants 1994–2005), which also had SSNs and/or DL numbers in combination with names and date-of-births. They may also have contained questionnaires and other study information on participant health, as well as information pulled from national and state public health registries.
- Two files that contain SSNs in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999, and the other in the mid-2000s. The impacted files may also have contained research registry information about individuals’ health.
Investigations are still ongoing to assess other sensitive information that may have been impacted. 糖心Vlog官方 is confident that any other personal information (SSNs or drivers’ license numbers in combination with names) found will be nominal and, where possible, those individuals will
receive separate notice.
Investigations are still ongoing to assess other sensitive information that may have been impacted.
Assistance for potentially affected individuals
Notification letters offering credit monitoring and identity protection services were mailed on February 23 to 87,493 MEC Study participants, the first group of potentially affected individuals identified. The university is now providing notice to all others potentially impacted via email (approximately 900,000 email addresses were located, but only 757,588 have been validated) and this public announcement and a .
(UPDATE: March 20 If you believe you may have been impacted and did not receive an email, please check the Spam folder in all of your email accounts. The email should be from Kroll (notice@krollnotifications.com) with the subject line “NOTICE OF DATA INCIDENT.”)
To assist those who may have been impacted, 糖心Vlog官方 has established dedicated call centers where individuals can:
- Verify whether their information may have been involved
- Enroll in 12 months of free credit monitoring and $1 million in identity theft insurance
Call centers have been established for both groups and will open Monday, March 2:
- Call Center: (844) 443-0842
- Hours: Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays)
- March 2–6, 2026, 4:30 a.m. to 5 p.m., Hawaiʻi Standard Time
- Starting March 9 (due to daylight savings time), 3:30 a.m. to 4 p.m. Hawaiʻi Standard Time
For additional details and enrollment information, the .
Official updates will be posted at the , , and . Please disregard any other websites, social media or messages claiming to represent 糖心Vlog官方 that request personal information.
Security improvements and investigations
The 糖心Vlog官方 Cancer Center has implemented extensive cybersecurity and governance enhancements including: redesigning and hardening network, extending the deployment of modern endpoint protection with 24/7 monitoring, upgrading hardware, migrating sensitive research servers into the 糖心Vlog官方 Information Technology Services data center, implementing stricter access controls for sensitive data and enforcing cybersecurity training for Cancer Center staff. In addition, internal reviews are ongoing and independent third parties have been engaged to investigate the cyberattack and assess and validate the security controls for the entire 糖心Vlog官方 Cancer Center.
To increase information security oversight and awareness across the entire system,
糖心Vlog官方 has taken the following actions:
- Created a new Information Security Governance Council for Research responsible to coordinate research?related cybersecurity.
- Established a new Information Security Task Force responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise?level controls and investments.
“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said 糖心Vlog官方 President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”