Confidential medical data belonging to half-a-million UK citizens has been breached from UK Biobank and put up for sale on a Chinese website.
The UK Biobank holds de-identified biological samples and health data of 500,000 volunteers – used to advance cancer, dementia and Parkinson’s care.
But technology minister Ian Murray announced today there has been a large-scale data breach which resulted in highly confidential information being stolen.
The data has been found for sale on three separate listings on the Chinese e-commerce site Alibaba on Monday 20 April.
‘At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers,’ Murray told the House of Commons.
‘Additional listings offer support for applying for legitimate access to UK Biobank or analytical support for researchers who already have access to the data.
‘I want to reassure the House up front however, that Biobank have advised that this data did not contain participants, names, addresses, contact details or telephone numbers.’
He added that the Government have today spoken to the vendor and do not believe there were any purchases from the three listings before they were taken down.
Half a million Biobank volunteers’ health data was listed for sale on a Chinese website following a serious data breach
But according to reporting by The Times, Government sources have slammed the Biobank’s security arrangements, labelling them ‘extremely lax.’
Professor Sir Rory Collins, chief executive and principal investigator at Biobank, said it takes data protection ‘extremely seriously’.
‘Last week, we found that de-identified participant data made available to researchers at three academic institutions were listed for sale on a consumer website in China, owned by Alibaba,’ he said.
‘This is a clear breach of the contract signed by these academic institutions and they, along with the individuals involved, have had their access suspended.’
Data sets including gender, age, month, birth year, socio-economic status, lifestyle habits and measures from biological samples were included in the breach.
As a result, Mr Murray said he could not guarantee that no one can be identified from the data.
The Biobank have formally apologised for the concern the breach has caused and said it has already put technology in place to stop this happening again.
The Biobank is ran independently from government.
It is the world’s most comprehensive database of health and lifestyle information and is used by researchers globally looking into what happens as we age.
Biobank states it removes all personal information including names and addresses before granting researchers access to the data.
Prof Collins added: ‘Researchers have to go through our rigorous access review process, and their institutions sign a contract committing to keep the data secure, before we make the data available to them for research.
‘Even though we only ever share de-identified data and have no evidence of any of you being identified unwillingly, we don’t want any use by anyone who has not been approved for access.
‘We are sorry that this incident has occurred and hope you are reassured by the swift and decisive action we have taken.’
The research platform will remain offline for around three weeks, while further security measures are put in place which it hopes will help prevent future breaches.
The UK Biobank study began in 2006.