Hawaii Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Hawaii occupies a unique position in the American cybersecurity landscape. As the headquarters of the U.S. Indo-Pacific Command and home to the Pacific Fleet at Pearl Harbor, the state hosts one of the largest concentrations of military and intelligence assets outside the continental United States. This military presence, combined with a tourism industry that generates over $18 billion annually and a healthcare sector serving a geographically isolated population, creates a cybersecurity environment where nation-state espionage, financially motivated cybercrime, and critical infrastructure threats all converge on a small island state.

The incidents below document how Hawaii organizations have been compromised and what vulnerabilities were exploited. Hawaii's geographic isolation amplifies the consequences of cyberattacks — when a hospital's systems go down on an island 2,400 miles from the U.S. mainland, there is no neighboring city to absorb patient overflow. Understanding this history is critical for any Hawaii business building a cybersecurity program. For a broader view of the threat environment, see our analysis of the Hawaii cyber threat landscape.

Major Cyber Incidents in Hawaii: A Timeline

2014 — Queen's Medical Center Phishing Attack

Queen's Medical Center, the largest private hospital in Hawaii and a Level I trauma center in Honolulu, disclosed that a phishing attack compromised employee email accounts containing patient information. The breach exposed names, Social Security numbers, dates of birth, and medical record numbers for approximately 680 patients. The hospital implemented additional email security measures and expanded employee security awareness training. As part of the Queen's Health Systems network, the incident prompted a system-wide review of email security controls.

2017 — Equifax Breach Impact on Hawaii Military Personnel

The 2017 Equifax breach, which exposed personal data of 147 million Americans, had outsized impact on Hawaii due to the state's high concentration of military and federal personnel. Active duty service members, veterans, and civilian defense employees in Hawaii found their sensitive financial data compromised, creating counterintelligence concerns for the military intelligence community concentrated around Pearl Harbor and Fort Shafter. The Department of Defense subsequently accelerated identity protection services for affected personnel stationed in Hawaii.

2018 — Hawaii Medical Service Association Data Incident

The Hawaii Medical Service Association (HMSA), the state's largest health insurer covering approximately 700,000 members — roughly half of Hawaii's population — disclosed a data security incident involving unauthorized access to member information through a web portal vulnerability. While the full scope was limited, the incident was significant because of HMSA's dominant market position and the proportion of the state's population whose data it manages.

2019 — Hawaii Pacific Health Network Breach

Hawaii Pacific Health, which operates Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, Straub Medical Center, and Wilcox Medical Center, disclosed that unauthorized access to employee email accounts had exposed patient protected health information. The breach affected patient names, medical record numbers, and in some cases clinical information. Hawaii Pacific Health enhanced its email authentication protocols and implemented additional monitoring for suspicious login activity.

2020 — Hawaii State Department of Education Data Exposure

The Hawaii Department of Education confirmed a data incident during the rapid transition to remote learning during the COVID-19 pandemic. The incident involved exposure of student data through inadequately secured remote learning platforms. The department worked with platform vendors to address the vulnerability and implemented additional data protection measures for student information. The incident reflected a nationwide pattern of educational data exposures created by the hurried adoption of remote learning technology.

2022 — Hawaii Tourism Authority Vendor Breach

A third-party vendor providing services to the Hawaii Tourism Authority experienced a data breach that exposed personal information of individuals who had interacted with tourism promotion programs. While the breach was relatively limited in scope, it highlighted the supply chain risks inherent in Hawaii's tourism ecosystem, where numerous vendors, booking platforms, and marketing services handle visitor and business partner data.

2023 — Maui Wildfire Response Phishing Campaigns

In the aftermath of the devastating August 2023 Maui wildfires, cybercriminals launched phishing campaigns exploiting the disaster to target both victims and donors. Fraudulent emails impersonating FEMA, the Red Cross, and Hawaiian charities attempted to harvest personal information and financial credentials. The campaigns specifically targeted Lahaina residents seeking emergency assistance and mainland donors seeking to help, demonstrating how attackers exploit natural disasters to conduct social engineering at scale. The FBI and Hawaii Attorney General issued public warnings about these scams.

2024 — Hawaii Community Federal Credit Union Ransomware

Hawaii Community Federal Credit Union, serving members primarily on the Big Island, experienced a ransomware attack that disrupted online banking services and internal operations. The credit union activated its incident response plan and worked with federal regulators and cybersecurity firms to contain the attack and restore services. The incident underscored the vulnerability of smaller financial institutions in Hawaii, which serve critical roles in island communities with limited banking alternatives.

Hawaii's Data Breach Notification Law

Hawaii's data breach notification requirements are codified in Hawaii Revised Statutes Section 487N. The law requires any business that owns or licenses personal information of Hawaii residents to notify affected individuals "without unreasonable delay" following discovery of a security breach. If a breach affects more than 1,000 Hawaii residents, the business must also notify the Hawaii Office of Consumer Protection and major credit reporting agencies.

Personal information under the Hawaii statute includes a resident's name combined with Social Security number, driver's license number, or financial account information with access credentials. Hawaii expanded its law in 2022 to include biometric data, username/email with passwords, and medical information as protected data types. Businesses may delay notification if law enforcement determines it would impede a criminal investigation. For detailed compliance guidance, see our Hawaii data privacy and compliance guide.

Which Hawaii Industries Are Most Targeted?

Military and Defense

Hawaii hosts the U.S. Indo-Pacific Command (USINDOPACOM), Pacific Fleet headquarters at Pearl Harbor, and numerous other military installations. The state's military-adjacent businesses — defense contractors, technology vendors, and logistics providers — operate in a threat environment dominated by Chinese and other nation-state intelligence services. These adversaries target not just military systems directly but the civilian businesses that support military operations, seeking information about capabilities, personnel, and operational patterns.

Healthcare

Hawaii's geographic isolation makes healthcare cybersecurity especially critical. Queen's Health Systems, Hawaii Pacific Health, and Kaiser Permanente Hawaii serve a population that cannot easily access alternative care facilities on the mainland. A ransomware attack that takes a major Honolulu hospital offline affects the entire state's healthcare capacity in ways that mainland incidents do not. Healthcare data is also highly valuable on dark web markets, making Hawaii's health systems targets for both extortion and data theft.

Tourism and Hospitality

Tourism generates over $18 billion annually for Hawaii's economy, with millions of visitors sharing personal and financial data through hotel systems, booking platforms, airlines, and point-of-sale systems across the islands. The tourism industry's reliance on small businesses — tour operators, restaurants, vacation rental managers — creates a fragmented attack surface where individual operators may lack even basic cybersecurity measures while handling significant volumes of payment card data and personal information.

What Hawaii Businesses Must Do After a Breach

When a Hawaii business discovers a data breach, it must act quickly to comply with HRS Section 487N and protect affected individuals.

• Contain the incident immediately by isolating affected systems and engaging incident response professionals

• Conduct forensic analysis to determine the scope of the compromise, the data types affected, and the number of individuals impacted

• Notify affected individuals without unreasonable delay with a written notice describing the breach, data types compromised, and protective measures

• Notify the Hawaii Office of Consumer Protection and credit reporting agencies if more than 1,000 Hawaii residents are affected

• Consider offering identity protection services, particularly if Social Security numbers or financial data were compromised

• Document all response actions for regulatory compliance and potential litigation defense

How to Protect Your Hawaii Business Before an Incident

Hawaii's island geography means that incident response resources may be limited or delayed compared to mainland locations. This makes prevention and preparation even more critical for Hawaii businesses.

• Implement multi-factor authentication on all accounts, especially cloud services and remote access systems

• Maintain encrypted, offline backups stored in geographically separate locations — consider mainland backup sites for disaster resilience

• Conduct regular vulnerability assessments and penetration testing at least annually

• Train employees to recognize phishing, especially disaster-themed scams that exploit Hawaii's vulnerability to natural events

• Develop a comprehensive incident response plan that accounts for Hawaii's geographic isolation and limited local incident response resources

For a foundational understanding of IT security outsourcing, see our guide to managed IT security services and what managed IT services include.

Frequently Asked Questions

What is the biggest cybersecurity incident in Hawaii history?

While several incidents have affected large numbers of people, the 2023 Maui wildfire phishing campaigns were notable for their scope and exploitation of a natural disaster. The 2024 Hawaii Community Federal Credit Union ransomware attack and the ongoing targeting of military-adjacent organizations by nation-state actors represent the most significant ongoing threats.

Does Hawaii have a specific deadline for breach notification?

Hawaii law requires notification "without unreasonable delay" but does not specify an exact day count. Businesses should aim to notify as quickly as possible after completing their investigation, as unreasonable delays can result in enforcement action by the Hawaii Office of Consumer Protection.

How does the military presence affect Hawaii's cybersecurity?

The concentration of U.S. Indo-Pacific Command, Pacific Fleet, and other military installations makes Hawaii a high-priority target for nation-state intelligence services, particularly those of China, Russia, and North Korea. Civilian businesses that contract with or support the military face elevated threat levels and may be targeted as pathways to access military information.

Are Hawaii tourism businesses required to comply with cybersecurity regulations?

While there is no tourism-specific cybersecurity law, Hawaii tourism businesses that process credit card payments must comply with PCI DSS requirements. Businesses that collect personal information of Hawaii residents must comply with the state's breach notification law. Those in the hospitality sector handling guest data may also face contractual security requirements from major hotel brands and booking platforms.

What makes Hawaii uniquely vulnerable to cyberattacks?

Hawaii's geographic isolation means limited local incident response resources, no ability to physically relocate patients or operations to neighboring facilities, dependence on undersea fiber optic cables for internet connectivity, and supply chain logistics that amplify the impact of disruptions. A cyberattack that would be disruptive on the mainland can be catastrophic in an island environment.

How did the Maui wildfires create cybersecurity risks?

The Maui wildfires created multiple cybersecurity risks: phishing campaigns impersonating relief organizations targeted victims and donors, temporary displacement of residents created authentication and identity verification challenges, and the rapid deployment of emergency communication systems introduced new attack surfaces. Disaster recovery operations also required sharing sensitive personal information across multiple agencies and organizations, increasing exposure risk.