Research charity sets out action plan to tighten up access to files on its database after anonymised details of 500,000 volunteers were offered for sale on consumer website in China
UK Biobank has announced that anonymised health data of 500,000 volunteers was offered for sale on a website in China – a revelation described as “deeply concerning” by the chair of parliament’s Science, Innovation and Technology Committee.
The charity said it had temporarily suspended all access to its platform following the discovery last week so that a “strict limit” could be placed on the size of files that accredited researchers can take from the database.
UK Biobank brings together data donated by volunteers that is shared with researchers across the world with the aim of making significant scientific discoveries that improve patient health. Uses to which the data is put include discovering genes that affect the risk of heart disease or cancer and identifying new ways of predicting dementia.
Chief executive and principal investigator Prof Sir Rory Collins said participant data made available to researchers at three academic institutions had been found listed for sale on a consumer website in China that is owned by Alibaba.
“This is a clear breach of the contract signed by these academic institutions and they, along with the individuals involved, have had their access suspended,” he said.
Related content
- Capita reveals data breach affecting 138 members of troubled Whitehall pension scheme
- Lloyds group advises MPs that half a million were impacted by data breach
- Police Scotland hit with £66k fine over serious data breach
Dame Chi Onwurah (pictured above), who chairs Westminster’s Science, Innovation and Technology Committee, said the UK Biobank revelation highlighted the slow pace of progress with protecting public data.
“It’s deeply concerning to learn that the highly sensitive data held by the Biobank has not been subject to proper controls,” she said. “My committee has carried out extensive scrutiny of public sector information security and data hygiene. In February, [digital government minister] Ian Murray and government officials assured us that standards would improve, and public data would be better protected.”
She added: “Today’s statement, however, demonstrates just how little progress has been made. It raises serious questions about whether lessons have been learned from repeated data breaches and leaks, and whether robust data management practices are being enforced at publicly funded bodies. Public trust in the handling of sensitive data is key to the government’s digital transformation ambitions. This is another blow to public confidence.”
The Information Commissioner’s Office confirmed it has been informed of the breach.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” a spokesperson said. “UK Biobank has made us aware of an incident and we are making enquiries.”
UK Biobank’s Collins apologised to volunteers whose data has been compromised and stressed that the files being offered for sale were “de-identified”.
Researchers are required to do their research on UK Biobank’s restricted, cloud-based research platform hosted in the UK. Collins said that placing a “strict limit” on the size of files that can be taken from the platform would allow research to continue but “severely limit” the chance of future large-scale downloads.
“In addition, all files exported from the research platform will be monitored daily for any suspicious behaviour,” he said. “These security measures will further minimise the potential for misuse of UK Biobank data.”
Collins said a “world-first” automated checking system that can prevent de-identified participant data from being taken off the UK Biobank platform is expected to be in place by the end of the year.
In a message to volunteers, he said: “We are sorry that this incident has occurred and hope you are reassured by the swift and decisive action we have taken.”
UK Biobank informed ministers about the data breach on Monday, MPs have been told.
In a statement to parliament, minister for digital government and data Ian Murray said officials had worked with the charity and the Chinese government to ensure that three listings selling data that had been discovered were removed. I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove these listings and ongoing work to remove any further listings,” he said.
“This has been an unacceptable abuse of the UK Biobank charity’s data and an abuse of the trust that participants rightly expect when sharing their data for research purposes.”
Nevertheless, Murray said ministers expect UK Biobank to “to remain one of the leading health research resources”.
