The University of Hawaiʻi Cancer Center has confirmed a cyberattack that compromised personal information from its Epidemiology Division, raising serious concerns about data security and the protection of individuals' sensitive data.
"The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted," said Naoto T. Ueno, director of the UH Cancer Center. The breach involves records that may contain Social Security numbers (SSNs) and driver's license (DL) numbers, largely derived from state records used for past research studies.
"The UH Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,"
By the Numbers
The compromised data primarily originates from 2000 and 1998, during a time when SSNs were frequently used as identifiers. This data was initially collected from the State Department of Transportation and voter registration records in Honolulu, primarily for recruiting participants for the Multiethnic Cohort (MEC) Study. Established in 1993, this study amassed more than 215,000 participants from diverse backgrounds in Hawaiʻi and Los Angeles, California.
By the Numbers
By the Numbers
By the Numbers
Approximately 87,493 individuals connected to the MEC Study may have been affected by this cyber incident. Notably, about 1.15 million individuals whose personal details might be linked to these historical records also fall within the scope of the breach.
Ueno emphasized the institution's commitment to addressing the incident: "We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us."
An unauthorized third party encrypted data and possibly exfiltrated personal information during the attack. In response, the university promptly notified law enforcement and engaged third-party cybersecurity experts to contain the situation. Efforts were made to secure a decryption tool, and assurances were obtained that any extracted data was destroyed. So far, the university has found no evidence indicating that any compromised information has been published or misused.
The affected personal information was stored in a subset of research files located on servers linked to the university's epidemiology operations. The specifics of the compromised data include:
By the Numbers
1. Two files containing SSNs tied to names from public health registries used for recruitment purposes in epidemiological studies, one ending in 1999 and the other in the mid-2000s. 2. Files from the MEC Study and three other studies focused on cancer and dietary habits, which contained SSNs and DL numbers alongside personal names, as well as health-related information. 3. Two additional files with names corresponding to SSNs, tracing back to DL records gathered from the State Department of Transportation in 2000 and voter registration data captured from Honolulu in 1998.
As investigations continue, the university remains optimistic that any further sensitive information discovered will be minimal, and affected individuals will receive separate notifications as necessary.
Impact and Legacy
In light of this cyberattack, the UH Cancer Center sent out notification letters on February 23, offering credit monitoring and identity protection services to the 87,493 individuals, marking the first wave of impacted individuals identified. To further extend its outreach, the university plans to inform another approximately 900,000 individuals via email notifications, together with a public announcement to raise awareness.
The Cyberattack Information and Resource Website established by the UH Cancer Center aims to provide ongoing assistance and updates related to the incident.
Moving forward, the university is determined to strengthen its cybersecurity measures and restore trust among affected individuals and the community at large. This incident underscores the increasing threat of cyberattacks and the critical importance of safeguarding personal information in research institutions.