A UK minister told Parliament that datasets from the research charity UK Biobank were briefly listed for sale on Alibaba by at least three vendors.
Ian Murray, Labour MP for Edinburgh South and minister of state at the Department for Science, Innovation and Technology, said the charity alerted the government on Monday. The listings have since been removed and, according to Murray, there is no evidence buyers paid for access. He thanked Chinese authorities for acting quickly with Alibaba to take the listings down.
UK Biobank reported that at least three listings appeared to offer data volunteers provided to support research. One listing appeared to contain data covering all 500,000 UK Biobank participants. The charity said the files did not include names, addresses, phone numbers or contact details.
Murray told MPs the government spoke to the vendor and does not believe purchases were made before the listings were removed. He said immediate steps were taken to protect participants’ data.
As a temporary precaution, UK Biobank suspended all access to its research platform and imposed strict limits on the size of files that can be exported. Chief executive Rory Collins said the measures were intended to prevent further leakage, and the charity has referred the matter to the Information Commissioner’s Office for review.
Access was revoked for three research institutions identified as the source of the leaked information, and the individuals and their host institutions had their platform access suspended. Collins described the disclosures as a breach of the contracts those researchers signed with UK Biobank.
UK Biobank is one of the largest repositories of medical data and biological samples, widely used by researchers to accelerate biomedical studies by providing large, anonymized datasets.
The government is working with UK Biobank to establish how the data came to be posted for sale and has asked the charity to prioritise its investigation.
Conservative MP Lincoln Jopp called the incident very serious and urged greater government support for the charity, including tighter vetting of institutions granted access. He asked whether the banned institutions were Chinese, whether any state actor might now hold the data, and whether institutions from Russia, Iran or North Korea had access.
Murray said the types of data that may have been involved include gender, age and month and year of birth, dates of attendance, socioeconomic indicators, lifestyle information, sleep and diet data, mental health records and health outcomes. He cautioned that UK Biobank cannot guarantee 100 percent that individuals could not be identified from such information, but said the charity considers the risk of re-identification to be low in most cases.
Murray added that Russia, Iran and North Korea are not accredited to access the database. He confirmed that the three institutions implicated in this incident were Chinese, and said Chinese authorities, Alibaba and staff at the British Embassy in Beijing cooperated to remove and monitor the listings. He also noted the problem is not specific to any one country, pointing to a previous suspension of Yale’s accreditation after a past breach.