Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a ransomware-driven data breach affecting its epidemiology division, with the potential exposure of data tied to up to 1.2 million individuals. The university reported that attackers accessed files containing SSNs and driver’s license numbers sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the Multiethnic Cohort (MEC) Study and other diet-and-cancer studies; the incident was discovered on August 31, 2025, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway.
Separately, a “cyber incident” caused a five-school-day internet outage at the Denmark School District in Wisconsin; the INC Ransom group claimed the victim on its leak site, alleging both encryption and theft of roughly 70.76 GB of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, Insight Hospital and Medical Center in Chicago reported unauthorized network access between August 22 and September 11, 2025, and the Termite group later claimed to have stolen and then leaked ~360 GB (about 900,000 files) of “confidential data,” including medical imaging files (e.g., .dcm), raising the likelihood of exposure of both identity data and protected health information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
University of Hawaiʻi launches systemwide IT review
Following the Cancer Center incident, university leadership initiated a systemwide IT review across all 10 campuses. The review came amid broader concern after a prior 2023 ransomware incident at Hawaiʻi Community College.
University of Hawaiʻi Cancer Center discloses 1.2 million-person data exposure
On March 2, 2026, the University of Hawaiʻi Cancer Center confirmed that the 2025 ransomware attack exposed personal data for up to 1.2 million people. Exposed records included Social Security numbers, driver's license numbers, voter registration data, transportation records, and some health-related research information.
Denmark School District suffers weeklong outage
A cyber incident left Denmark School District without internet access for five school days, forcing staff and students to use paper-based workarounds. The disruption was suspected to be related to the claimed ransomware attack.
INC Ransom claims attack on Denmark School District
A ransomware tracking site listed Denmark School District in Wisconsin as a victim claimed by INC Ransom, with a discovery date of March 1, 2026. The attackers allegedly encrypted files and acquired about 70.76 GB of data, though the claim was not independently confirmed.
Termite adds Insight Hospital to leak site
On February 24, 2026, the Termite ransomware group listed Insight Hospital on its dark web leak site. The group claimed to have stolen 360 GB of confidential data and subsequently leaked the data in multiple parts, including medical-image files.
Insight Hospital issues substitute breach notice
Around January 26, 2026, Insight Hospital published a substitute notice about the 2025 incident. It said individual notifications were still pending while the review continued and disclosed that sensitive personal and health-related data may have been affected.
University of Hawaiʻi engages attackers and obtains decryptor
During its investigation and recovery, the University of Hawaiʻi worked through a cybersecurity firm to engage the threat actors and obtain a decryption tool. The attackers also affirmed that stolen information had been destroyed, though no responsible group was identified.
Insight Hospital detects unusual network activity
In September 2025, Insight Hospital identified unusual activity on its network and began investigating the incident. The review later tied the activity to unauthorized access during late August and early September.
University of Hawaiʻi Cancer Center discovers ransomware attack
The University of Hawaiʻi Cancer Center discovered a ransomware incident affecting its epidemiology division on August 31, 2025. The attack was limited to certain research servers and did not affect clinical trials, patient care, or other Cancer Center divisions.
Insight Hospital attackers gain unauthorized network access
Insight Hospital and Medical Center later determined that unauthorized access to its network occurred between August 22 and September 11, 2025. Potentially affected data included identity, financial, treatment, and health insurance information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
University of Hawaiʻi Cancer Center confirms data leak following ransomware attack | The Record from Recorded Future News
therecord.media
Open sourceWisconsin k-12 district hit by weeklong outage - DataBreaches.Net
databreaches.net
Open sourceData from Insight Hospital and Medical Center Leaked on Dark Web - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026
University of Hawaii Cancer Center Ransomware Breach and Delayed Disclosure
The **University of Hawaii (UH) Cancer Center** disclosed that a ransomware intrusion affecting a single cancer research project led to the encryption of systems and the theft of a limited set of research files, including some legacy documents from the 1990s containing **Social Security numbers** used to identify study participants. UH reported the incident occurred in late August 2025 and said clinical operations and patient care were not impacted, but recovery and investigation were delayed due to the extent of encryption damage; UH also stated it engaged external experts, isolated affected systems, and negotiated with the attackers, including paying to obtain a decryptor and seeking assurances of deletion of stolen data. The disclosure drew scrutiny because UH reportedly notified the state legislature well after Hawaii’s **20-day breach reporting deadline**, and the university has not provided key details such as the specific research project, the number of affected individuals, or concrete measures proving the stolen data was not exposed after negotiations. Separate reporting on unrelated ransomware activity included **Everest** claiming a breach of **Nissan** with an alleged 900GB data theft and **Trellix** research describing **CrazyHunter** ransomware targeting Taiwan healthcare organizations; those items do not appear connected to the UH Cancer Center incident beyond being ransomware-related.
Mar 21, 2026
University of Hawaiʻi Cancer Center Ransomware Breach Exposes Data of Up to 1.2 Million People
The University of Hawaiʻi confirmed that a **ransomware attack** against the UH Cancer Center’s **Epidemiology Division** led to the theft of sensitive data affecting up to **~1.2 million individuals**. The intrusion occurred in **August 2025**, and the university began issuing notifications in late February, including letters to **87,493** participants in the *Multiethnic Cohort (MEC) Study* and additional outreach tied to roughly **900,000** discovered email addresses. UH stated the incident did **not** impact Cancer Center clinical trials operations, patient care, other Cancer Center divisions, or UH student records. Disclosed exposed data includes research and registry-related files containing **names and Social Security numbers**, and in some cases **driver’s license numbers** and **health information** associated with the MEC Study (1993–1996) and other diet/cancer studies, as well as historical datasets sourced from state transportation and voter registration records (late 1990s/2000s). Reporting also indicates the affected records include SSN identifiers from historical driver’s license and voter registration data, expanding the potential impacted population beyond the MEC cohort to approximately **1.15 million** additional individuals whose information may have been present in those datasets.
Mar 21, 2026