The University of Hawaiʻi Cancer Center waited four months to report a ransomware attack that exposed the Social Security numbers and personal data of research participants. Although the university eventually notified the Legislature in December, officials have refused to disclose the number of people affected or whether a ransom was paid to the hackers.
In August, hackers successfully breached the servers of the University of Hawaiʻi Cancer Center, gaining access to sensitive files linked to a specific research study. The attackers encrypted the data and demanded payment in exchange for a decryption tool to restore access. Despite state laws regarding timely notification of data breaches, the university did not acknowledge the incident in a formal report to the Legislature until December, several months after the initial compromise occurred.
University officials have maintained a level of secrecy regarding the details of the breach, declining interviews and withholding specific information about the project involved. It remains unclear exactly how many participants had their Social Security numbers stolen or what specific measures were taken to ensure the hackers actually destroyed the copies of the data they stole. UH has also not confirmed the financial cost of the incident or if they met the hackers' specific monetary demands.
The university’s report to the Legislature suggests that the decision to communicate with the hackers was made to protect the individuals whose sensitive information was at risk. By working with a team of outside cybersecurity experts, the university claims it was able to obtain the necessary tools to decrypt its files. They also asserted that they sought assurances from the threat actors that the stolen information would be destroyed, though the reliability of such agreements with cybercriminals is often questioned.
According to the report, the university is currently in the process of identifying the names and addresses of the affected study participants. Once this list is compiled, UH intends to send out notifications and provide credit monitoring and identity theft protection services to those whose privacy was compromised. This delay in notification has raised concerns regarding compliance with state transparency requirements and the immediate safety of the victims' personal identities.
To prevent future incidents, the Cancer Center has implemented several new security protocols. These measures include resetting all user passwords, installing advanced monitoring software, and completely rebuilding the systems that were breached. Additionally, a third-party assessment was conducted to verify that the updated security controls are sufficient to protect the center's research data moving forward.
Source: UH Engaged With Hackers After Cancer Study Data Was Hijacked