A UK government minister told Parliament that data from the health charity UK Biobank was briefly listed for sale by at least three vendors on the Chinese Alibaba e-commerce platform.
Ian Murray, the Labour MP for Edinburgh South and a minister of state at the Department of Science, Innovation and Technology, said the charity first alerted the government to the issue on Monday. He said the listings were no longer available and that no buyers were thought to have paid for access, thanking the Chinese government for the “speed and seriousness with which they worked with us to help remove these listings.”
Murray told the House that UK Biobank reported at least three listings appearing to sell data volunteers had provided to the charity to support research worldwide. “At least one of these datasets appeared to contain data from all 500,000 UK Biobank volunteers,” he said. He added that Biobank advised the data did not include people’s names, addresses, contact details, or telephone numbers.
“The government has spoken to the vendor today, and they do not believe there were any purchases from the three listings before they were taken down. Once the government was aware of the situation, we took immediate action to protect participants’ data,” Murray said.
UK Biobank suspended all access to its research platform as a short-term precaution. Chief executive Rory Collins said in a message to participants that the charity had temporarily suspended platform access while imposing a strict limit on the size of files that can be taken off the platform. Murray said the charity had referred itself to the Information Commissioner’s Office for review.
“We ensured that the Biobank charity revoked access for the three research institutions identified as the source of that information,” Murray said. Collins described the actions of those leaking information as “a clear breach of the contract they signed with UK Biobank,” and said the individuals and their academic institutions immediately had their access suspended.
UK Biobank is one of the larger biobanks—projects that collect and collate medical data and samples, typically anonymized—and are regarded as major advances in biomedical research by enabling researchers to access large datasets quickly.
Murray said the government is working with Biobank to determine exactly how the data ended up for sale online and has asked the charity to investigate the matter as a priority.
Conservative MP Lincoln Jopp, citing past experience handling data breaches in the private sector, described the case as “a very grave incident.” He urged government support for UK Biobank to improve security, including vetting research institutes granted access. He asked whether the banned institutes were Chinese, whether the Chinese government might now possess the data, and whether institutions from Russia, Iran or North Korea had access. He also asked what kind of data had been listed if not personal contact information.
Murray said the types of medically relevant data that might have been involved included gender, age, month and year of birth, attendance dates, socioeconomic status, lifestyle habits, sleep, diet, mental health and health outcomes. He said the charity could not “assure 100%” that individuals could not be identified from such data, but Biobank considered the likelihood low in most circumstances.
He said Russia, Iran and North Korea were not accredited for access to the database. “UK Biobank are very strict about who can access, because there is an accreditation process,” Murray said. He added that although the three institutions in this case were Chinese, the Chinese authorities and Alibaba, with help from the British Embassy in Beijing, had been proactive in taking down listings and continuing to monitor for further posts.
Murray noted the issue is not country-specific, citing that Yale had its accreditation suspended previously for a breach of data.
Edited by: Alex Berry