UK Biobank health data listed for sale in China, government confirms

Medical information of 500,000 participants of one of the UK's landmark scientific programmes, UK Biobank, were offered for sale online in China, the government has confirmed.

Technology minister Ian Murray said information of all members of the database was found listed for sale on the website Alibaba.

Murray told MPs the charity which runs UK Biobank had told the government about the breach on Monday. He said the information did not include names, addresses, contact details or telephone numbers.

However he said it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.

The Biobank is a collection of health data offered by volunteers which has been used to help improvements in detection and treatment of dementia, some cancers and Parkinson's.

It has collected intimate details - including whole body scans, DNA sequences and their medical records - from hundreds of thousands of volunteers for over two decades. The project has led to more than 18,000 scientific publications.

Participants were aged from 40 to 69 when they were recruited between 2006 and 2010.

UK Biobank said it was investigating the incident and thanked the UK and Chinese governments, as well as Alibaba, for support and cooperation.

"We understand that the existence of these listings, even temporarily, will be concerning to you," Chief Executive Professor Sir Rory Collins said in a message to participants.

"We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers)."

Sir Rory told volunteers in his letter the data involved in the incident had been made available to researchers at three institutions.

He added the data was "swiftly" removed by Alibaba, following support from the UK and Chinese government, but the data's appearance to a "clear breach of the contract signed by these academic institutions".

"They, along with the individuals involved, have had their access suspended," Sir Rory added.

Murray told MPs the government has been told no purchases were made from the three listings on the website.

Alibaba has been contacted for comment.

UK Biobank's chief scientist Prof Naomi Allen told the BBC that "ultimately it's the fault of these rogue researchers".

She said these researchers are "giving the global scientific community a bad name" and that she and her colleagues are "extremely cross" about the data leak.

"We're very sorry to all of our half a million participants that this has occurred, we appreciate their concerns," Allen added.

One Biobank volunteer - Guardian columnist Polly Toynbee - told the BBC she was not worried by the data breach.

"Biobank volunteers passionately believe that what they're doing is incredibly valuable, that having this huge bank of information and data helps cure diseases, helps find causes of diseases," she said.

"I don't think many people will be very worried because that information is anonymised.

"Maybe they could sell details of particular cases, but it won't be with names or addresses or anything that leads back to particular people. So I don't think this will rattle all the magnificent volunteers who've got in for this."

Sir Rory said a number of measures had been imposed following the incident.

These included a temporarily suspending access to its research platform while a "strict limit" is imposed on the size of files that can be removed from it, and would monitor file exports daily "for any suspicious behaviour".

It said there would also be a "comprehensive and forensic board-led investigation of this incident".

Reacting to Murray's statement in the House of Commons, Liberal Democrats technology spokeswoman Victoria Collins branded the situation a "profound betrayal" and urged the government to hold UK Biobank accountable.

But Murray said the data being placed on the internet had not occurred through a "leak or cyber-attack".

"This was a legitimate download by a legitimately accredited organisation," he said. "That is the problem that's been identified."

Reform UK's deputy leader branded the breach a "China data theft scandal".

Richard Tice said: "The UK taxpayer funded £200m, approximately, for setting up UK Biobank.

"Can the minister confirm that our generosity actually will not be abused by those Chinese researchers and that UK Biobank should preclude and exclude them for the future, in order to ensure that this state of theft comes with sanctions?"

Murray criticised the "tenor" of Tice's question, saying it did not fit "with the seriousness of this particular issue", adding that thousands of Chinese researchers have worked with the Biobank "since 2012 safely and securely".

The data breach is "not a moment to point fingers, but to take seriously what it tells us about national data infrastructure," said Prof Elena Simperl, from King's College London's department for informatics.

She said initiatives like the UK Biobank are "absolutely essential" in driving innovation in health and life sciences.

"Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought," Simperl added.

But the data breach could have a "wider consequence" in damaging the confidence of the public in taking part in initiatives such as the Biobank, according to Graeme Stewart, head of public sector at cybersecurity firm Check Point Software.

"It only takes a relatively small drop in participation to start affecting the quality and reliability of research at scale," he said.

Will Richmond-Coggan of Freeths said "deidentified" data can still be treated as personal data, warning that the detailed nature of the information could risk re-identification of the participants.

A spokesperson for the Information Commissioner's Office said: "People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.

"UK Biobank has made us aware of an incident and we are making enquiries."

Additional reporting by Chris Vallance and James Gallagher.

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.