UH Cancer Center Cyberattack Information and Resource Page

• General information
• Potentially Exposed Information
• Official Notifications
• Resources
• Deadlines
• FAQs

General Information

This webpage provides information and resources for individuals who may have been impacted by a cyberattack on study recruitment and research data of the University of Hawaiʻi Cancer Center’s (UHCC) Epidemiology Division. There was no impact on the UHCC’s Clinical Trials Operations, patient care or other divisions. There was no impact to UH student records.

• February 27, 2026, public announcement of cyberattack
• February 27, 2026, report to the Hawaiʻi State Legislature

Potentially Exposed Information

A subset of research files containing personal information and stored on servers that support the UHCC’s epidemiology studies, recruitment, and research operations was exposed, including:

1. Two files containing names and date-of-births in combination with Social Security numbers (SSNs): the first, containing DL numbers, was collected in the year 2000 from the State Department of Transportation; the second, containing voter registration information, was collected in the year 1998 from the City & County of Honolulu. At that time, DL numbers in Hawaiʻi were typically based on SSNs, and City and County of Honolulu voter registration information also often contained SSNs. 
2. Files for study participants in the long-running Multiethnic Cohort Study (recruitment for participants in Hawaiʻi and Los Angeles, California from 1993–1996) and three other epidemiological studies of diet and cancer focusing on colorectal adenomas (recruitment for participants 1995–2007) and colon cancer (recruitment for participants 1994–2005), which also had SSNs and/or DL numbers in combination with names and date-of-births. They may also have contained questionnaires and other study information on participant health, as well as information pulled from national and state public health registries.
3. Two files that contain SSNs in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999, and the other in the mid-2000s. The impacted files may also have contained research registry information about individuals’ health.

Investigations are still ongoing to assess whether any other sensitive information may have been impacted.

Official notifications

 February 27, 2026

• Notice to potentially affected individuals (through publication in media, on websites and through email distribution in March where email addresses have been found (approximately 900K were found, but only 757,588 have been validated). Notice of Data Incident.
• If you believe you may have been impacted and did not receive an email, please check the Spam folder in all of your email accounts. The email should be from Kroll (notice@krollnotifications.com) with the subject line “NOTICE OF DATA INCIDENT.”

February 23, 2026

• Multiethnic Cohort Study participant notification letter mailed

Resources

Individuals whose personal information was involved are eligible for:

• 12 months of free credit monitoring
• $1 million in identity theft insurance

Call center assistance

Individuals may contact the dedicated call center at (844) 443-0842 (toll free) to verify whether their personal information was involved and to enroll in credit monitoring and identity protection Services. The call center is available at the follow days and times starting March 2:

• Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays)
• Monday to Friday, 3:30 a.m. to 4 p.m. Hawaiʻi Standard Time (excluding holidays)

Precautionary Steps

The following precautions are recommended, even if you choose not to enroll in the provided services:

• Review account statements: Regularly check bank and credit card statements for suspicious activity.
• Order free credit reports: Visit www.annualcreditreport.com or call 1-877-322-8228 to obtain a free copy of your credit report.
• Place a fraud alert: You may place a free initial fraud alert on your credit file by contacting Equifax, Experian, or TransUnion. This requires businesses to verify your identity before opening new credit in your name.
• Consider a security freeze: You have the right to place a security freeze on your credit report, which prevents credit reporting agencies from releasing your report without your authorization, thereby denying unauthorized individuals the ability to use your identity to your financial detriment.

Deadlines

The call center is set to close on May 31, 2026.

The enrollment deadline for the Experian email and the multiuse website is June 20, 2026.

For the MEC letter codes, the Experian enrollment deadline is May 31, 2026.

After these dates, the codes will no longer work on the Experian website.

Frequently Asked Questions (FAQs)

General Incident Overview

Q: What happened?
A: On or about August 31, 2025, UHCC learned that it was the victim of a cyberattack isolated to specific systems that support its Epidemiology Division. The unauthorized third party encrypted large amounts of data, and provided proof that it had potentially exfiltrated a portion of that data. There was no impact to information held by the UHCC’s Clinical Trials operations, patient care or any other divisions, and there was no impact to student records.

Law enforcement was notified, and working with third-party cybersecurity experts, UHCC obtained a decryption tool and secured an affirmation that the information accessed was destroyed. To date, there is no evidence that any of the information has been published, shared or misused.

Q: Has my identity been stolen?
A: At this time, UH has not received reports of fraud or identity theft related to this cyberattack. There is no evidence that the information has been published, shared or misused. However, out of an abundance of caution, UH is making notice to potentially affected individuals and is providing identity protection resources.

Q: Is the threat ongoing?
A: No. The affected systems were immediately taken offline and have since been secured and reviewed by experts.

Data Impact

Q: Whose information was involved?
A: The investigation identified files containing the personal information for three groups of potentially affected individuals:

1. Two files containing names in combination with Social Security numbers (SSNs): the first, containing DL numbers, was collected in the year 2000 from the State Department of Transportation; the second, containing voter registration information, was collected in the year 1998 from the City & County of Honolulu.  At that time, DL numbers in Hawaii were typically based on SSNs, and City and County of Honolulu voter registration information also often contained SSNs. 
2. Files for study participants in the long-running Multiethnic Cohort Study (recruitment for participants in Hawaiʻi and Los Angeles, California from 1993–1996) and three other epidemiological studies of diet and cancer focusing on colorectal adenomas (recruitment for participants 1995–2007) and colon cancer (recruitment for participants 1994–2005), which also had SSNs and/or DL numbers in combination with names. They may also have contained questionnaires and other study information on participant health, as well as information pulled from national and state public health registries. 
3. Two files that contain SSNs in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999, and the other in the mid-2000s. The impacted files may also have contained research registry information about individuals’ health.

Q: What information was involved for research study participants?
A: The affected research files for study participants included names, addresses, Social Security numbers, and, in a limited number of dated research files, health-related information collected for epidemiological research purposes.

Q: Why does the Cancer Center Epidemiology Division have my driver’s license and voter registration information?
A: At the time of the epidemiology studies in the 1990s and early 2000s, it was common practice for Hawaiʻi government agencies to provide driver’s license and voter registration lists to researchers to identify prospective participants for large population health studies.  At that time, driver’s license and voter registrations used SSNs as identifiers.  

Investigation and Response

Q: What caused this incident?
A: UH has engaged third-party experts to conduct a comprehensive review of the incident, including the circumstances surrounding the breach and the effectiveness of existing controls. That review is ongoing.  If the investigation identifies violations of university policy or failures to meet required standards, appropriate action will be taken in accordance with UH policies, applicable employment agreements, and State law.  UH is committed to accountability and to strengthening systems and processes where improvements are needed.

Q: Why did it take this long to notify the public?
A: While the incident was detected on August 31, 2025, the full extent of the potential impact to individuals regarding their personal information was not confirmed until February 2026 due to the volume and complexity of the data encrypted, and the age of the studies and records. The unauthorized third party encrypted large amounts of data, which required time and expertise to restore and regain access to.  Once access was restored, a detailed electronic discovery process was required to review the data to expeditiously identify exactly whose personal information was present.  MEC Study participants were individually confirmed first, with notification letters being sent on February 23, 2026, and the other studies, research projects, and historical driver’s license and voter registration records were identified and confirmed in February 2026, with notification being made on February 27, 2026 by statewide publication and website in March via email (approximately 900K were found, but only 757,588 have been validated) where email addresses have been found. Investigations are still ongoing to assess other sensitive information that may have been impacted.  UH is confident that any other personal information (SSNs or drivers’ license numbers in combination with names) found will be nominal and, where possible, those individuals will receive separate notice.  

Q: What oversight or reviews are being conducted of the affected research studies?
A: Third-party experts have been hired to investigate the cyberattack, assess newly implemented security controls, and review the UH Cancer Center’s Information Technology and cybersecurity practices.  In addition, the UH Institutional Review Board is conducting a for-cause audit of impacted studies to ensure that research participants’ rights and welfare are protected and that all applicable federal, state and institutional requirements are met.

To strengthen long-term oversight, UH has also established new systemwide governance structures for research cybersecurity, including an Information Security Governance Council for Research and an Information Security Task Force.  These groups are responsible for coordinating research-related cybersecurity, updating policies, and recommending enterprise-level safeguards and investments.

Q: What security measures have been implemented?
A: The UHCC has implemented extensive cybersecurity and governance enhancements, including:

• Redesigning and hardening the network
• Extending the deployment of modern endpoint protection with 24/7 monitoring
• Migrating sensitive research servers to the secure UH Information Technology Services data center
• Upgrading hardware
• Implementing stricter access controls for sensitive data
• Rebuilding compromised systems to ensure that all malware has been eliminated and created new accounts/passwords to ensure that attackers no longer have access
• Replacing existing firewall and rebuilding the network utilizing new firewall that includes additional security controls
• Enforcing additional cybersecurity training for UHCC staff
• Engaging independent third parties to assess and validate the security controls for the entire UHCC.

Q: What is being done to protect the rest of UH?
A: UH continues to strengthen its cybersecurity protection systemwide, including enhanced monitoring, updated security standards, governance improvements, and independent oversight to ensure alignment with university security policies and best practices.

Notifications and Assistance

Q: How will I know if I am affected?
A:  To verify if your personal information may have been exposed, please call toll free (844) 443-0842. The call center is available at the following days and times starting March 2:

• Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays)
  Monday to Friday, 3:30 a.m. to 4 p.m. Hawaiʻi Standard Time (excluding holidays)

Notification letters offering credit monitoring and identity protection services were mailed on February 23rd to 87,493 MEC Study participants, the first group of potentially affected individuals identified. Notification, by statewide publication and on this website, is being provided to everyone on February 27, and in March, notification via email will be made where email addresses have been found (approximately 900K were found, but only 757,588 have been validated). If you believe you may have been impacted and did not receive an email, please check the Spam folder in all of your email accounts. The email should be from Kroll (notice@krollnotifications.com) with the subject line “NOTICE OF DATA INCIDENT.”

Q: Are you offering credit monitoring?
A: Yes. For individuals whose Social Security numbers were involved, UH is offering 12 months of free credit monitoring and $1 million in identity theft insurance.

Q: Is there a cost?
A: No. These services are provided at no cost to you, and enrolling will not affect your credit score.

Q: How do I enroll?
A: The enrollment instructions are in your notification letter/email. If you did not receive a letter/email, please call toll free (844) 443-0842 during the follow days and times starting March 2:

• Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays)
  Monday to Friday, 3:30 a.m. to 4 p.m. Hawaiʻi Standard Time (excluding holidays)

Among the information that will be provided is the deadline you must activate your services. is May 31, 2026.

Immediate Steps

Q: What should I do right now?
A:

• Enroll in the free credit monitoring service if eligible.
• Review bank, credit card, and insurance statements for unusual activity.
• Obtain a free credit report at www.annualcreditreport.com.
• Consider placing a fraud alert or security freeze on your credit file.