The University of Hawai’i Cancer Center (UH Cancer Center) recently disclosed a significant cyberattack that exposed sensitive personal information, including Social Security numbers (SSNs) and driver’s license numbers (DLs). Although the university has taken corrective actions, affected individuals may want to explore their legal options for compensation and protection.
University of Hawai’i Cancer Center Cyberattack Investigation
On January 2026, the UH Cancer Center’s Epidemiology Division fell victim to a cyberattack that compromised personal information stored in research files. The unauthorized third party involved in the attack encrypted and potentially exfiltrated data, including sensitive personal information. The breach primarily affected files used for research studies, such as the Multiethnic Cohort (MEC) Study, which has been ongoing since 1993.
The compromised data primarily includes Social Security numbers (SSNs) and driver’s license numbers (DLs), which were commonly used as identifiers in Hawai’i Department of Transportation records from 2000 and City and County of Honolulu voter registration records from 1998. The largest group of affected individuals consists of those involved in the MEC Study, which recruited over 215,000 participants between 1993 and 1996.
Approximately 1.15 million individuals from various data sources may have had their personal information exposed, including 87,493 participants from the MEC Study. The compromised data also included health-related research data and registry information.
The university worked with law enforcement and third-party cybersecurity experts to restore access to the encrypted data and confirmed that any exfiltrated information was destroyed by the attackers. As of now, there is no evidence that the stolen data has been published, shared, or misused.
When Did This Breach Occur?
The cyberattack occurred between January 2026 when suspicious activity was detected, and January 2026, when the university began investigating and securing its systems. The breach primarily involved data from research conducted between 1993 and 2007, with some of the most affected data collected as early as 1998.
Notification letters were sent to 87,493 MEC Study participants on February 23, 2026, and the university is now providing notice to other potentially impacted individuals via email.
What Information Was Breached?
The personal information exposed during the breach includes:
-
Social Security numbers (SSNs)
-
Driver’s license numbers (DLs)
-
Names
-
Health-related research data (from the MEC Study and other epidemiological studies)
-
Registry information from public health databases
In addition to PII, some files also contained health-related research data and other sensitive information related to the participants of the studies, including details from national and state public health registries.
What You Can Do
If you were impacted by this breach, it’s important to take steps to protect your personal information. Here are some actions you can take:
-
Enroll in the complimentary credit monitoring and identity protection services offered by the UH Cancer Center through Experian.
-
Monitor your credit reports for any unauthorized activity or unfamiliar accounts. You are entitled to free annual credit reports from the three major credit bureaus.
-
Place fraud alerts or security freezes on your credit file to prevent unauthorized access or identity theft.
-
Review your financial account statements for any suspicious activity.
-
Stay vigilant against medical identity theft by reviewing your health insurance statements and medical records for unauthorized services or claims.
-
Contact the university’s dedicated hotline for further information or assistance at 1-844-937-3566.
By taking these precautions, you can reduce the risk of identity theft and minimize potential harm from the exposure of your personal information.
File a Data Breach Lawsuit Against the University of Hawai’i Cancer Center
If your personal information was exposed in this cyberattack, you may have the right to pursue compensation through a data breach lawsuit.
When organizations fail to adequately secure sensitive personal information, individuals can face significant risks, including identity theft, fraud, and emotional distress. Even if there is no evidence that the information has been misused, the exposure of Social Security numbers and health-related data can lead to long-term consequences.
A class action lawsuit may allow affected individuals to pursue legal action together, which can increase the effectiveness of seeking compensation and ensure that the university is held accountable for its failure to protect sensitive data.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
