By HFT Staff

The University of Hawai?i Cancer Center’s Epidemiology Division was the victim of a cyberattack that possibly exposed records containing Social Security numbers (SSNs) and driver’s license (DL) numbers, mostly from Hawai?i DL records collected in 2000 from the State Department of Transportation (when identifiers were usually SSNs) and City and County of Honolulu voter registration records collected in 1998 (also when identifiers were usually SSNs). 

The Hawai?i DL and Honolulu voter registration records were primarily used to recruit research study participants, principally for the Multiethnic Cohort (MEC) Study. The MEC Study was established in 1993 and recruited more than 215,000 men and women, aged 45 to 75 years, between 1993 and 1996 from five main ethnic/racial groups who were residents of Hawai?i and Los Angeles, California. Some of the exposed files also included research data with health-related information on study participants and certain other individuals. 

The MEC Study participants potentially impacted a total 87,493 individuals. Additional individuals whose personal information may have been included in the historical driver’s license and voter registration records with SSN identifiers number approximately 1.15 million. 

There was no impact to information held by the UH Cancer Center’s Clinical Trials operations, patient care, or any other divisions of the UH Cancer Center. There was no impact to UH student records. 

During the cyberattack, an unauthorized third party encrypted and potentially exfiltrated data containing personal information. The university notified law enforcement and worked with third-party cybersecurity experts to obtain a decryption tool and secure an affirmation that any information obtained was destroyed. To date, there is no evidence that any of the information has been published, shared or misused. 

The personal information affected by the incident was located in a subset of research files stored on certain servers that support the UH Cancer Center’s epidemiology research operations, including: 

• Two files containing names in combination with SSNs: the first, containing DL numbers, was collected in the year 2000 from the State Department of Transportation; the second, containing voter registration information, was collected in the year 1998 from the City & County of Honolulu. At that time, DL numbers in Hawai?i were typically based on SSNs, and City and County of Honolulu voter registration information also often contained SSNs. 
• Files for study participants in the long-running Multiethnic Cohort (MEC) Study (recruitment for participants in Hawai?i and Los Angeles, California from 1993 to 1996) and three other epidemiological studies of diet and cancer focusing on colorectal adenomas (recruitment for participants 1995–2007) and colon cancer (recruitment for participants 1994–2005), which also had SSNs and/or DL numbers in combination with names. They may also have contained questionnaires and other study information on participant health, as well as information pulled from national and state public health registries. 
• Two files that contain SSNs in combination with names collected from national and state public health registries as part of epidemiology research and study recruitment efforts. One file was closed to new names in 1999, and the other in the mid-2000s. The impacted files may also have contained research registry information about individuals’ health. 

Investigations are still ongoing to assess other sensitive information that may have been impacted.