Institutional response following the data breach at the University of Hawaii Cancer Centre

The data breach at the University of Hawaii Cancer Centre came to light in late February 2026, when suspicious activity was detected on its systems. The institution officially announced the cyberattack on 27 February 2026, following a preliminary investigation into the scope of the incident. It was confirmed at that time that this was a ransomware attack targeting systems linked to epidemiological research. The disclosure came after months of digital forensic analysis, which delayed the public notification but allowed for a better assessment of the impact.

The attack compromised databases containing sensitive information on approximately 1.2 million people, including study participants and historical records used for research. The exposed data includes National Insurance numbers, official identification numbers and other personal information, some of which was sourced from old public records. Despite the scale of the breach, the university stated that clinical systems and data on patients undergoing treatment were not affected, with the incident being limited to the research sphere. After detecting the intrusion, the institution isolated the affected systems, engaged external cybersecurity experts and worked on data recovery, including negotiations with the attackers. Those affected were also notified and offered free credit monitoring services as a risk mitigation measure.

The incident is currently in the follow-up and fallout management phase, with the University of Hawaii strengthening its security protocols and working with the authorities to investigate what happened. Although no misuse of the leaked data has been publicly confirmed, the volume and sensitivity of the information exposed mean that a latent risk remains for those affected. Furthermore, legal investigations have begun to emerge that could lead to class-action lawsuits, adding institutional pressure to ensure transparency and accountability.