UK Biobank breach: Half a million Britons’ medical data offered for sale on Chinese website
The data of 500,000 people who voluntarily gave their health information to the UK Biobank was breached and made available for sale online in China.
Technology minister Ian Murray described the incident as an “unacceptable misuse” of data and said the information of all half a million members had been put up for sale on the Alibaba website.
He told the House of Commons on Thursday that the charity notified the government of the data breach on Monday and that the information did not include names, addresses or contact details.
Mr Murray told MPs: “Biobank told us there were three lists that appeared to be selling to us… Biobank participation data was identified. It turned out that at least one of these three datasets contained data from all 500,000 Biobank volunteers in the UK.”
“Additional lists offer support in applying for legal access to the UK Biobank or analytical support for researchers who already have access to the data.”
Biobank is the world’s most comprehensive dataset of biological, health and lifestyle information. It has been used to improve the detection and treatment of dementia, cancer, and Parkinson’s disease.
“The government spoke to the seller today and they did not believe any purchases were made from these three lists before the lists were removed,” Mr Murray added.
The UK Biobank was established to advance medical research and scientists from around the world can use their data (with personal information removed) for studies deemed to be in the public interest.
All participants were between 40 and 69 years old when they joined the study between 2006 and 2010. Their data is used to track participants’ long-term health and help researchers understand, prevent and treat serious diseases.
Mr Murray said UK Biobank referred him to the Information Commissioner’s Office following the breach.
Mr Murray said the data subject to the breach could include gender, age, month and year of birth, socioeconomic status, lifestyle habits and measures taken from biological samples.
He said he could not give a full guarantee that no one would be identified, but that this could probably only be done “with a very sophisticated method.”
In a statement to the Commons, he said: “As soon as the government became aware of the situation, we took immediate action to protect participants’ data. Firstly, we worked with Biobank, the Chinese government and the vendor to ensure the removal of these three lists that UK Biobank notified us about, including participant data.
“I want to thank the Chinese government for the seriousness with which they worked with us to help remove these lists.
“Secondly, we have had the Biobank charity revoke access to three research institutions identified as sources of this information.
“And thirdly, we have asked the charity Biobank to pause further access to its data until it has implemented a technical solution to prevent data on its existing platform from being downloaded in this way again. I can confirm to the House that this pause is now in place.”
In a statement published on Thursday, UK Biobank’s chief executive and principal investigator, Professor Sir Rory Collins, told study participants: “We would like to inform you of an incident involving UK Biobank data.
“We apologize to our participants for any concern this may cause and hope to provide reassurance by outlining the serious steps we are taking in response.
“At UK Biobank, your personally identifiable information is safe and secure.
“Listings offering access to UK Biobank data (which did not contain any personally identifying information) were found on a Chinese consumer website. These listings were quickly removed before any purchases could be made.
“We are taking additional security measures to prevent this incident from happening again. We will conduct a thorough investigation into the incident.”
“Since UK Biobank began making your de-identified data available for research in 2012, it has led to thousands of discoveries leading to improvements in the prevention and treatment of many different diseases.”
Professor Elena Simperl, from King’s College London’s Department of Informatics, said: “The revelation of UK Biobank data is not a finger-pointing moment, but an important one for us to take seriously what it tells us about the national data infrastructure. Initiatives like UK Biobank are absolutely essential to driving innovation across the health and life sciences ecosystem.”
“With longitudinal data on half a million volunteers and more than 18,000 peer-reviewed articles to its name, the UK is a world leader in this field and is rightly proud of it.
“What happened here was an infrastructure issue, not the result of a sophisticated cyber attack. Too often, the costs of maintaining infrastructure for flagship data management projects like this are treated as an afterthought. The UK has built something remarkable, but we need to continue to invest to keep it secure.”
