Data from 500,000 people who volunteered their health information to the UK Biobank has been breached and offered for sale online in China.
Technology minister Ian Murray said information of all half a million members had been listed for sale on the website Alibaba, as he called the incident an “unacceptable abuse” of data.
He told the Commons on Thursday that the charity had informed the government about the data breach on Monday, and said the information did not include names, addresses or contact details.
Mr Murray told MPs: “Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.
“Additional listings offer support for applying for legitimate access to UK Biobank or analytical support for researchers who already have access to the data.”
The Biobank is the world’s most comprehensive dataset of biological, health and lifestyle information. It has been used to achieve improvements in the detection and treatment of dementia, cancers and Parkinson’s.
“The government has spoken to the vendor today, and they did not believe that there were any purchases from the three listings before they were taken down,” Mr Murray added.
The UK Biobank was established to advance medical research and scientists from across the world can use its data – with the personal information removed – for studies that are deemed in the public interest.
All of the participants were aged between 40 and 69 years old when they joined the study between 2006 and 2010. Their data is used to track their long-term health and help researchers to understand, prevent and treat serious illnesses.
UK Biobank has referred itself to the Information Commissioner’s Office following the breach, Mr Murray said.
Mr Murray said the data involved in the breach could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.
He said he could not give a complete guarantee that nobody could be identified, but said it would likely only be done so through a “very advanced way”.
In a statement, he told the Commons: “Once the government was made aware of the situation, we took immediate action to protect participants’ data. Firstly, we worked with Biobank, the Chinese government and the vendor, to ensure that those three listings – that UK Biobank informed us (of), including participant data – had been removed.
“I want to thank the Chinese government for the seriousness with which they work with us to help remove these listings.
“Secondly, we ensured that the Biobank charity revoked access to three research institutions identified as the source of that information.
“And thirdly, we have asked that the Biobank charity pause further access to its data until they put in place a technical solution to prevent data from its current platform from being downloaded in this way again. I can confirm to the House that this pause is now in place.”
In a statement published on Thursday, Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank, told those in the study: “We would like to inform you about an incident involving UK Biobank data.
“We apologise to our participants for the concern this will cause, and we hope to provide reassurance by outlining the serious actions we are taking in response.
“Your personally identifying information in UK Biobank is safe and secure.
“Listings offering access to UK Biobank data (which did not contain any personally identifying information) were found on a Chinese consumer website. These listings were swiftly removed before any purchases were made.
“We are putting in place additional security measures to prevent this happening again. We will conduct a comprehensive investigation into this incident.
“Since UK Biobank started to make your de-identified data available for research in 2012, it has led to thousands of discoveries that are already leading to improvements in the prevention and treatment of many different diseases.”
Professor Elena Simperl, Department of Informatics at King’s College London, said: “The recent UK Biobank data exposure is not a moment to point fingers, but to take seriously what it tells us about national data infrastructure. Initiatives like UK Biobank are absolutely essential to driving innovation across the health and life sciences ecosystem.
“With longitudinal data on half a million volunteers and more than 18,000 peer-reviewed papers to its name, the UK is world-leading in this space, and rightly proud of it.
“What happened here was an infrastructure problem, not the result of a complex cyber attack. Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought. The UK has built something remarkable, but we need to keep investing in keeping it safe.”
