Attackers breached cancer research systems stealing sensitive participant information dating back to the 1990s, highlighting long-term data retention risks.
The University of Hawaii Cancer Center suffered a significant ransomware attack in August 2025 that compromised decades-old research participant data, including Social Security numbers from studies conducted as far back as the 1990s. This incident underscores the persistent vulnerability of research institutions holding historical sensitive information.
According to the university's official report to Hawaii's legislature, attackers encrypted systems supporting a specific cancer research project on August 31, 2025. While clinical operations and patient care remained unaffected, the encryption significantly delayed restoration efforts and forensic analysis.
"Upon discovery in late August, the affected systems were immediately disconnected, experts were engaged to conduct a comprehensive investigation," a university spokesperson confirmed. The institution made the "difficult decision" to negotiate with threat actors after discovering stolen files contained historical participant identifiers.
Initial analysis suggested most compromised files contained only anonymized research data. However, deeper investigation revealed documents from the 1990s containing Social Security Numbers—identification methods since replaced by modern protocols. This highlights the often-overlooked risk of legacy data retention practices in research environments.
The university paid ransom in exchange for both a decryption tool and verified deletion of stolen data. "We worked with external cybersecurity experts to secure destruction of the information the threat actors illegally obtained," the spokesperson stated. Notification to affected individuals is pending verification of contact information.
Mitigation efforts include:
- Complete replacement of compromised systems
- Enterprise-wide password resets
- Implementation of endpoint protection software
- Firewall software upgrades
- Third-party security audits
This incident follows a pattern of academic institution targeting, including recent attacks against Harvard University and University of Pennsylvania where Clop ransomware exploited an Oracle E-Business Suite vulnerability.
Practical Recommendations:
- Conduct historical data audits: Identify and securely archive or destroy legacy identifiers like SSNs
- Segment research networks from clinical systems: Containment prevented operational disruption
- Implement multi-factor authentication: Especially for systems containing sensitive participant data
- Maintain offline backups: Enable restoration without ransom negotiation
- Update data retention policies: Align storage duration with actual research needs
The breach demonstrates how decades-old data practices create modern vulnerabilities, emphasizing that security hygiene must extend beyond current systems to address historical data liabilities.
Comments
Please log in or register to join the discussion