Last week, data from 500,000 participants of UK Biobank’s database were made available for sale online following a breach, the UK Government’s technology minister has confirmed.
In an oral statement delivered in the House of Commons today (23 April), UK technology minister Ian Murray confirmed that data for all members involved in the database was found listed for sale on the Chinese e-commerce website Alibaba.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
UK Biobank is a health data project that aims to improve disease prevention and treatment by providing anonymised genetic, physical, and medical data from volunteers to approved researchers to support studies for conditions including cancer, dementia and heart disease.
Murray confirmed that the charity made the government aware of the breach on 20 April. Biobank summarily told the government that three listings that appeared to sell UK Biobank participant data had been identified on Alibaba, with at least one of these datasets appearing to contain data from all 500,000 UK Biobank volunteers. Meanwhile, additional listings offered support for applying for legitimate access to UK Biobank or analytical support for researchers who already had access to the data.
Biobank also clarified that the data did not contain participants’ names, addresses, contact details, or telephone numbers, but could include data such as gender, age, month and year of birth.
In a statement on its website, Professor Sir Rory Collins, CEO and principal investigator of UK Biobank, explained that the data put up for sale on Alibaba was de-identified volunteer data that had been made available to researchers at three unspecified academic institutions.
“Alibaba swiftly removed those listings before any sales were made. This is a clear breach of the contract signed by these academic institutions and they, along with the individuals involved, have had their access suspended,” Collins said.
In response to the incident, Collins said that UK Biobank had temporarily suspended all access to the database’s research platform and emplaced “a strict limit on the size of files that can be taken off the platform”.
“This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform,” Collins continued.
Commenting on the breach, Kirsty Gouldsmith, data protection partner at law firm Spencer West, said: “The public needs to understand how this breach happened and what UK Biobank will do to prevent further breaches. It is a significant data breach for the health information of 500,000 members to be offered for sale on Alibaba.
“Alibaba is a regular website that anyone can buy a product from. It’s fortunate that no sales were made, considering that the information was listed for sale three times. UK Biobank needs to explain how a breach of this magnitude happened,” Gouldsmith continued.
