Half a million Biobank members had data listed for sale, minister says
Details of 500,000 members of the UK’s health data project Biobank are available for sale online in China, the government has confirmed.
Technology minister Ian Murray described the breach as an “unacceptable misuse” of their data, noting that the information of all half a million members of the database was listed for sale on the Alibaba website.
Biobank is the world’s most comprehensive dataset of biological, health and lifestyle information. It has been used to improve the detection and treatment of dementia, cancer, and Parkinson’s disease.
Mr Murray told MPs that the charity which runs the Biobank informed the government about the data breach on Monday. He said the information did not include names, addresses, contact information or telephone numbers.
Mr Murray said the information was downloaded legally by three research institutions in China. Their access has since been revoked. The government is trying to determine how the breach occurred.
Ministers were told that no purchases had been made from the three lists on the website. These were removed and Mr Murray thanked the Chinese Government for their cooperation.
Sir Rory Collins, Biobank’s chief executive, said the charity had temporarily closed access to its research platform.
Sir Rory apologized to attendees and said additional security measures would be taken.
Speaking in the House of Commons, Mr Murray said: “The UK Biobank charity notified the Government that it had identified its data being offered for sale by a number of sellers on Alibaba e-commerce platforms in China.
“Biobank has told us that Biobank engagement data… has been identified in three selling lists. At least one of these three datasets appears to contain data from all 500,000 Biobank volunteers in the UK.”
The biobank says it removed personal identifying information, such as names and addresses, from all 500,000 volunteers before allowing scientists to access the data. This means details such as names, addresses, dates of birth and NHS numbers are not included in the data.
But Mr Murray said he could not give a full guarantee that no one would be identified, although this would probably only be done “by a very sophisticated method”.
UK Biobank participants were aged between 40 and 69 when they joined the study between 2006 and 2010.
The resulting data have been cited in more than 18,000 peer-reviewed scientific articles, including the main causes of health disorders.
These range from lung and cardiovascular conditions to mental health conditions and arthritis.
Sir Rory Collins, the company’s chief executive and principal investigator, apologized to the volunteers and said: “We apologize to our participants for the concern this will cause and hope to provide reassurance by outlining the serious actions we are taking in response.
“At UK Biobank, your personally identifiable information is safe and secure.”
He continued: “We are taking additional security measures to prevent this incident from happening again. We will conduct a comprehensive investigation into this incident.”
Mr Murray said the breach was “an unacceptable misuse of data from the UK Biobank charity and an abuse of the trust that participants readily expect when sharing data for research purposes”.
He said: “The Government is taking this incident extremely seriously, which is why we took swift action to support the UK Biobank charity’s response, and that’s why I wanted to update the House at the earliest opportunity.
“New guidance will soon be issued to the Government on the control of data from research studies and I would like to use this opportunity to once again encourage all businesses and charities to ensure their systems and data sharing processes are as secure as possible.
“Last week we wrote to businesses about the cybersecurity tools available free of charge from the Government and the steps they need to take to maximize security. Ensuring the safe use of UK Data is a priority for this Government.”
