Medical information of 500,000 participants of one of the UK’s landmark scientific programmes, UK Biobank, was offered for sale online in China.
UK’s Technology Minister Ian Murray said data of all members of the database was found listed for sale on the website Alibaba. The charity that runs UK Biobank informed the government about the breach, he said. The information did not include names, addresses, contact details or telephone numbers.
He said it could include gender, age, month and year of birth, socio-economic status, lifestyle habits, and measures from biological samples.
The Biobank, which has gathered the intimate details, including whole body scans, DNA sequence and medical records, from hundreds of thousands of volunteers over two decades, has resulted in over 18,000 scientific publications, and has been used to improve the detection and treatment of dementia, certain cancers, and Parkinson’s.
They were recruited between 2006 and 2010 and were between 40 and 69 years old.
UK Biobank said it was investigating the incident and thanked the UK and Chinese governments, as well as Alibaba, for support and cooperation.
“We understand that the existence of these listings, even temporarily, will be concerning to you. We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers),” Chief Executive Professor Sir Rory Collins said in a message to participants, BBC reported.
In a letter to volunteers, Sir Rory said the data that was the subject of the incident had been shared with researchers at three institutions, but was ’quickly’ taken down by Alibaba after the UK and Chinese governments intervened, and appeared to be a ’blatant breach of the contract signed by these academic institutions’. He added that they, along with the individuals, had their access suspended.
Alibaba has not officially issued a statement regarding this matter.
Professor Naomi Allen, the chief scientist of UK Biobank, said, “Ultimately, it is the fault of these rogue researchers. They are giving the global scientific community a bad name, and we are extremely cross about it. We are very sorry to all of our half a million participants that this has occurred, and we appreciate their concerns.”
One Biobank volunteer, Guardian columnist Polly Toynbee, said she was not concerned by the data leak.
“Biobank volunteers passionately believe that what they’re doing is incredibly valuable, that having this huge bank of information and data helps cure diseases, helps find causes of diseases. I don’t think many people will be very worried because that information is anonymised. Maybe they could sell details of particular cases, but it won’t be with names or addresses or anything that leads back to particular people,” she said.
‘China Data Theft Scandal’
Following the incident, Sir Rory said several measures had been put in place, including temporarily suspending access to its research platform while a ’strict limit’ was introduced to the size of files that could be extracted. The organisation will also monitor file exports ’on a daily basis for any suspicious activity’.
He added that there would be a ’full and forensic board-led investigation into this incident’.
Liberal Democrats technology spokeswoman Victoria Collins called it a ’profound betrayal’, and asked the government to demand answers from UK Biobank in response to Ian
Murray’s statement in the House of Commons. But Murray said the data being put online had not come about as a result of a ’leak or cyber-attack’.
“This was a legitimate download by a legitimately accredited organisation,” he said.
That is the problem that has been identified.
Deputy leader of Reform UK, Richard Tice, called it a ’China data theft scandal’.
Tice said, “The UK taxpayer funded approximately £200m into this UK Biobank, which was created by the UK taxpayer, and now it has been stolen by China. Can the minister confirm that our generosity actually will not be abused by those Chinese researchers, and that UK Biobank should preclude and exclude them for the future, in order to ensure that this state of theft comes with sanctions?”
Breach May Undermine Trust In UK Biobank
Professor Elena Simperl, from the department for informatics at King’s College London, said the data breach was ’not a moment to point fingers, but to take seriously what it tells us about national data infrastructure’, adding that initiatives such as the UK Biobank are ’absolutely essential’ for driving innovation in health and life sciences.
Simperl said the costs of maintaining infrastructure for flagship data stewardship projects like this are too often an afterthought, but that the data breach might have a ’wider consequence’ in damaging the confidence of people taking part in initiatives such as the Biobank.
Graeme Stewart, head of public sector at cybersecurity firm Check Point Software, said, “It only takes a relatively small drop in participation to start affecting the quality and reliability of research at scale.”
An Information Commissioner’s Office spokesman said, “Medical data is some of the most sensitive information that people have, and people expect it to be handled carefully and securely, but organisations also have a responsibility under the law. UK Biobank has informed us of an incident, and we are investigating.”