University of Hawaii Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawaii Cancer Center, part of the University of Hawaii (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawaii Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. University of Hawaii Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawaii Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawaii Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained.  University of Hawaii Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawaii Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.

The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.

The post University of Hawaii Cancer Center Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.

TriZetto Provider Solutions, a Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident.

On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.

While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.

Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.

Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.

TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.

It is currently unclear how many of its healthcare provider clients have been affected or the scale of the data breach. Given the fact that its system was compromised for 11 months, it could be a sizeable data breach. Healthcare providers known to have been affected include:

• CE-Edinger Medical Group, California
• Friends of Family Health Center, California
• Gardner Health Services, California (6,197 individuals)
• Harmony Health Medical Clinic and Family Resource Center, California
• One Community Health, California
• Mission Neighborhood Health Center in California (3,741 individuals)
• Native American Health Center, California
• Open Door Community Health Centers, California
• Planned Parenthood Northern California – TriZetto was a subcontractor of its business associate OCHIN
• Lynn Community Health, Massachusetts
• Share Ourselves, California (2,864 individuals)
• Santa Rosa Community Health Centers, California – TriZetto was a subcontractor of its business associate OCHIN

This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released. 

The post TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update) appeared first on The HIPAA Journal.