A University Discovered 1.2 Million People's Data Was Stolen—Then Waited 6 Months to Tell Them

The Breach

On August 31, 2025, the University of Hawaii Cancer Center's Epidemiology Division discovered that an unauthorized third party had encrypted files on its research servers. The attack was ransomware: the attackers locked the data and, according to the university's own disclosure, may have exfiltrated it before encrypting it.

The servers contained decades of research data, including records from the Multiethnic Cohort (MEC) Study—one of the longest-running epidemiological studies in the United States, following participants across racial and ethnic groups to understand cancer risk factors. Buried in those servers were also historical Hawaii government files: driver's license records from 2000, where many numbers were derived directly from Social Security numbers, and Honolulu voter registration records from 1998.

When the university completed its review, the total stood at 1,241,020 people whose Social Security numbers had been potentially exposed.

Six Months of Silence

The university discovered the breach in August 2025. The first notification letters reached affected study participants on February 23, 2026—nearly six months later. Public disclosure came on February 27, 2026.

Hawaii's data breach notification law requires organizations to notify affected individuals and the state within 20 days of confirming a breach, unless law enforcement requests a delay to protect a criminal investigation. The university's own disclosure mentions notifying the FBI. Whether law enforcement requested or authorized a notification delay is not stated in public materials.

The university has not publicly explained why six months elapsed between discovery and notification. Investigators point out that scope of exposure analysis—figuring out exactly which records were accessed and who they belong to—can take time, especially with historical files from the 1990s and 2000s that weren't necessarily intended to be searchable databases. That analysis is legitimate and necessary. It does not straightforwardly account for a half-year gap.

What Was in Those Files

The nature of the exposed data deserves emphasis. The 87,493 Multiethnic Cohort Study participants shared highly sensitive personal health information with researchers—names, demographic data, health history, and other details that people disclosed specifically for scientific purposes, under an expectation of confidentiality. Some of those participants have been enrolled in the study for decades.

The additional 1.15 million people whose SSNs were exposed come from historical government records that wound up in research files for legitimate epidemiological reasons—matching cancer registry data against population records to understand disease patterns. Those individuals almost certainly had no awareness that their 1998 voter registration or 2000 driver's license records were sitting in a university cancer research database in 2025.

That is one of the less-examined risks of large-scale data aggregation in research settings: data collected for one purpose and linked to government records accumulates into a target that was never anticipated when the original records were created.

The Notification Delay Problem

The University of Hawaii case is not unusual. Delayed breach notification is endemic across healthcare and research institutions, for reasons that are partly structural and partly cultural.

Healthcare entities operate under HIPAA, which requires breach notification within 60 days of discovering a breach affecting 500 or more people. State laws impose separate timelines that are often shorter. When organizations are managing an active ransomware incident, conducting forensics, negotiating with attackers (the university says it obtained a decryption tool), and trying to determine the full scope of exposure, legal teams routinely advise delaying public notification until they have a complete picture. That advice is defensible. It also means people who should be placing fraud alerts and monitoring their credit are instead exposed without knowing it.

Regulators have increasingly signaled impatience with this calculus. The SEC's breach disclosure rules for public companies require disclosure within four business days of determining materiality. HIPAA regulators have issued enforcement actions specifically targeting delayed notification. State attorneys general in California, New York, and Texas have pursued companies for years-long notification delays. The University of Hawaii is a public institution and may face different oversight mechanisms, but the breach notification timeline will likely draw regulatory scrutiny.

What Affected People Can Do

If you participated in the Multiethnic Cohort Study, were a Hawaii resident before 2001, or lived in Honolulu and registered to vote by 1998, your Social Security number may be in this dataset. The practical steps are:

• Place a free credit freeze at all three major credit bureaus (Equifax, Experian, TransUnion)
• Set up fraud alerts if you haven't already
• Use the university's free credit monitoring: call (844) 443-0842
• Review IRS records for any unauthorized tax filings using your SSN

The university states there is no evidence as of February 2026 that the stolen data has been published or misused. The "affirmation that any information obtained was destroyed" the university received from the attackers is not an independently verifiable guarantee—it is a statement from criminals who broke into a research institution. Protective measures are warranted regardless.