The personal health data of over half a million UK Biobank volunteers has been put up for on e-commerce platforms and online marketplaces in China, following a data beach at the scientific research organization.
In a statement made to the House of Commons, the Minister for Digital Government and Data, Ian Murry, confirmed the breach.
“Biobank told us that three listings that appear to sell UK Biobank participant data had been identified. At least one of these three datasets appears to contain data from all 500,000 UK Biobank volunteers,” he said.
Murray told the Commons that Biobank informed the government that the data about their volunteers had been advertised for sale by several dealers on Alibaba e-commerce platforms in China.
The listings have since been removed and both the government and UK Biobank believe that nobody purchased the leaked data.
The UK Biobank collects data to support thousands of scientific research papers. The data gathered includes whole body scans, DNA sequences and other, sensitive medical records.
However, UK Biobank stressed that the breach didn’t contain personal information about participants, such as their names, addresses, contact details, telephone numbers or NHS Numbers.
“We understand that the existence of these listings, even temporarily, will be concerning to you. We want to reassure you that all the data are de-identified; they do not contain any personally identifying information,” said Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank.
The data breach has been traced to researchers at three academic institutions who had misused their access to the data.
Collins described their actions as a “clear breach” of the contract the institutions signed, and both the researchers and the institutions have had their access to the project suspended.
“Researchers are required to do their research on our restricted, cloud-based research platform hosted in the UK to prioritise the safe and secure use of your data. In light of this incident, we are taking further steps to enhance our systems to prevent this from happening again,” he said in a statement published on April 23.
In reaction to the incident, UK Biobank has temporarily suspended all access to the research platform and is set to implement strict limits on the number of files which can be downloaded by users.
The organization added that it will conduct a “comprehensive and forensic” board-led investigation of the incident. UK Biobank also noted that it was “grateful” for the support from the UK government, as well as the “rapid co-operation” of Chinese authorities and Alibaba to remove the data.
