University of Hawaiʻi Cancer Center cyberattack possibly exposes personal info

University of Hawaiʻi Cancer Center’s Epidemiology Division was the victim of a cyberattack that possibly exposed records containing personal information.

The records contain Social Security numbers and driver’s license numbers, mostly from Hawaiʻi driver’s license records collected in 2000 from Hawaiʻi Department of Transportation and City and County of Honolulu voter registration records collected in 1998 — both times when identifiers were usually Social Security numbers.

Records were primarily used to recruit research study participants, principally for the Multiethnic Cohort Study, which was established in 1993 and recruited more than 215,000 men and women, ages 45 to 75 years old, between 1993 and 1996 from 5 main ethnic/racial groups who were residents of Hawaiʻi and Los Angeles.

Some of the exposed files also included research data with health-related information of study participants and certain other individuals.

The cyberattack potentially impacted a total 87,493 individuals.

About 1.15 million additional people whose personal information might have been included in the historical driver’s license and voter registration records with Social Security number identifiers also could be impacted.

There was no impact to information kept by University of Hawaiʻi Cancer Center’s Clinical Trials operations, patient care or any other divisions of the cancer center.

There also was no impact to University of Hawaiʻi student records.

“The [University of Hawaiʻi] Cancer Center deeply regrets that this incident occurred and that so many individuals have been impacted,” said University of Hawaiʻi Cancer Center Director Naoto Ueno in a release about the cyberattack. “We take this matter extremely seriously and are committed to transparency, accountability and strengthening protections for the research data entrusted to us.”

What happened and data involved

An unauthorized third party during the cyberattack encrypted and potentially exfiltrated data containing personal information.

The university notified law enforcement and worked with third-party cybersecurity experts to obtain a decryption tool and secure affirmation that any information obtained was destroyed.

There is no evidence to date that any of the information was published, shared or misused.

Personal information affected by the incident was located in a subset of research files stored on certain servers that support University of Hawaiʻi Cancer Center’s epidemiology research operations, including:

• Two files containing names in combination with Social Security numbers. The first, containing driver’s license numbers, was collected in 2000 from Hawaiʻi Department of Transportation; the second, containing voter registration information, was collected in 1998 from the City and County of Honolulu. At that time, DL numbers in Hawaiʻi were typically based on SSNs, and City and County of Honolulu voter registration information also often contained Social Security numbers.
• Files for study participants in the long-running Multiethnic Cohort Study and three other epidemiological studies of diet and cancer focusing on colorectal adenomas, with recruitment for participants from 1995 to 2007, and colon cancer, with recruitment for participants from 1994 to 2005, which also had Social Security numbers and/or driver’s license numbers in combination with names. They might also have contained questionnaires and other study information about participant health, as well as information pulled from national and state public health registries.
• Two files that contain Social Security numbers in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999 and the other in the mid-2000s. The impacted files might also have contained research registry information about individuals’ health.

Investigations are ongoing to assess other sensitive information that might have been impacted.

University of Hawaiʻi is confident any other personal information found will be nominal and, where possible, those individuals will receive separate notice.

Assistance for potentially affected individuals

Notification letters offering credit monitoring and identity protection services were mailed Feb. 23 to 87,493 Multiethnic Cohort Study Study participants, the first group of potentially affected individuals identified.

The university is now providing notice to all others potentially impacted via email — about 900,000 email addresses have been located — along with this public announcement and launching the University of Hawaiʻi Cancer Center Cyberattack Information and Resource website.

To assist those who might have been impacted, University of Hawaiʻi established dedicated call centers that individuals can:

• Verify whether their information might have been involved.
• Enroll in 12 months of free credit monitoring and $1 million in identity theft insurance.

Call centers were established for both groups and open Monday (March 2):

• Call Center: (844) 443-0842.
• Hours: 4:30 a.m. to 5 p.m. March 2-6; 3:30 a.m. to 4 p.m. beginning March 9 because of daylight savings time.

Visit the University of Hawaiʻi Cancer Center Cyberattack Information and Resource website for additional details and enrollment information.

Official updates will be posted at the University of Hawaiʻi Cancer Center Cyberattack Information and Resource website, University of Hawaiʻi Cancer Center website and UHNews.org.

Disregard any other websites, social media or messages claiming to represent University of Hawaiʻi that request personal information.

Security improvements and investigations

University of Hawaiʻi Cancer Center implemented extensive cybersecurity and governance enhancements including:

• Redesigning and hardening University of Hawaiʻiʻs network.
• Extending the deployment of modern endpoint protection with 24/7 monitoring.
• Upgrading hardware.
• Migrating sensitive research servers into University of Hawaiʻi Information Technology Services data center.
• Implementing stricter access controls for sensitive data.
• Enforcing cybersecurity training for Cancer Center staff.

Internal reviews are ongoing. Independent third parties also are engaged to investigate the cyberattack and assess and validate the security controls for the entire University of Hawaiʻi Cancer Center.

To increase information security oversight and awareness throughout the entire system, University of Hawaiʻi also took the following actions:

• Created a new Information Security Governance Council for Research responsible to coordinate research‑related cybersecurity.
• Established a new Information Security Task Force responsible for updating policies, strengthening cyber roles and responsibilities and recommending enterprise‑level controls and investments.

“This cyberattack requires a comprehensive, systemwide response,” said University of Hawaiʻi President Wendy Hensel in the release about the cyberattack. “I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed.”

Hensel add that the university system is taking a holistic approach, identifying areas requiring additional investment and moving forward with those improvements.

“Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi,” she said.