Hackers broke into the University of Hawaiʻi Cancer Center’s research servers last August, encrypting files from a cancer study and exposing participants’ personal information, including Social Security numbers. Instead of walking away from the encrypted data, the university says it engaged with the same threat actors to get a decryption tool and to secure destruction of the stolen files. UH filed a report to the state Legislature in December and is now compiling names and addresses so it can notify affected participants and offer credit monitoring and identity theft protection, according to Civil Beat.
What UH reported to lawmakers
In a report to lawmakers, UH says hackers encrypted files related to a cancer research project and demanded payment for a decryption program. The report explains that “UH made the difficult decision to engage with the threat actors in order to protect the individuals whose senstive [sic] information may have been compromised,” and that the university worked with outside cybersecurity experts to obtain a decryption tool and “to secure destruction of the information the threat actors illegally obtained,” as reported by Civil Beat.
UH also says it has reset passwords, installed continuous monitoring tools, rebuilt compromised systems and ordered a third party assessment of new security controls, according to Honolulu Civil Beat.
State law and reporting deadlines
Hawaii law generally requires government agencies to submit a written report to the Legislature within 20 days after discovering a security breach, including the number of people affected and a copy of any notice that was sent. The statute allows a delay only if law enforcement informs the agency that notification would impede a criminal investigation or raise national security concerns, according to Perkins Coie.
Why some institutions negotiate
The FBI discourages paying ransoms, warning that payments can encourage more attacks and still do not guarantee that data will be restored. At the same time, federal investigators have on occasion recovered decryption keys for victims, and organizations often weigh operational and patient safety risks when deciding how to respond.
The University of Hawaiʻi previously negotiated with threat actors after a 2023 attack on Hawaiʻi Community College to obtain assurances that stolen data would be destroyed, according to the university’s statement at the time, cited by FBI and University of Hawaiʻi System News.
Experts say it is not simple
Cybersecurity specialists say decisions like UH’s are often driven by real world pressure rather than clean theory. As Chuck Lerch of HITech Hui told Honolulu Civil Beat, “At the end of the day, FBI doesn’t have the decryption keys. They’re not going to help you.”
UH officials declined requests for an interview and provided only the details contained in the legislative report. That leaves basic questions unanswered, including which project was affected, how many Social Security numbers were exposed and whether any payment was made.
What study participants should do now
If you participated in a UH Cancer Center study and are worried that your information was exposed, the Federal Trade Commission recommends placing a fraud alert or credit freeze, ordering your free credit reports and using IdentityTheft.gov for recovery guidance. The FTC also notes that entities whose breaches expose Social Security numbers commonly offer at least a year of credit monitoring or identity theft protection. For a step by step recovery plan and resources, see the guidance from the FTC.
UH says it is compiling contact information for potentially affected participants and that an investigation remains ongoing. How and when those notifications go out, and whether UH’s engagement with the threat actors draws legislative or oversight scrutiny under the 20 day reporting rule, are likely to be the next developments in the case.
