Hackers Accessed University of Hawaii Cancer Center Patient Data; They Weren’t Immediately Notified

The University of Hawaiʻi Cancer Center incident illustrates how ransomware attacks can quickly compromise sensitive health‑research data. While the breach itself is a stark reminder of the value cybercriminals place on personal identifiers, the university’s delayed disclosure raises regulatory red flags. State law mandates a 20‑day breach notification, yet UH waited four months, leaving participants uninformed and potentially vulnerable to identity theft. This lag not only jeopardizes compliance but also damages the institution’s credibility among donors, patients, and regulatory bodies.

Beyond the immediate fallout, the case spotlights the dilemma many healthcare entities face when ransomware encrypts critical research files. UH chose to negotiate with the attackers, a move that conflicts with FBI guidance discouraging ransom payments. Without transparency on whether a ransom was paid, stakeholders cannot assess the financial impact or the likelihood that the stolen data will be destroyed. The episode underscores the need for robust incident‑response plans that prioritize data backups, segmentation, and clear escalation protocols to avoid paying extortionists.

In response, UH has implemented a suite of remedial actions: resetting passwords, deploying continuous monitoring tools, and commissioning third‑party security assessments. Offering credit‑monitoring services to affected participants is a standard mitigation step, yet it does little to restore trust lost through opaque communication. For the broader health‑tech sector, this breach serves as a cautionary tale that compliance, rapid disclosure, and proactive cyber‑hygiene are essential to protect both patient data and institutional reputation in an era of escalating ransomware threats.