Medical information of 500,000 participants of the UK’s health data project, UK Biobank, were offered for sale online in China, the government has confirmed.
Technology minister Ian Murray said information of all members of the database was found listed for sale on the website Alibaba.
Murray told MPs the charity which runs UK Biobank had told the government about the data breach on Monday. He said the information did not include names, addresses, contact details or telephone numbers.
However he said it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.
The Biobank is a collection of health data offered by volunteers which has been used to help improvements in detection and treatment of dementia, some cancers and Parkinson’s.
Participants were aged from 40 to 69 when they were recruited between 2006 and 2010.
UK Biobank said it was investigating the incident and thanked the UK and Chinese governments, as well as Alibaba, for support and cooperation.
“We understand that the existence of these listings, even temporarily, will be concerning to you,” Chief Executive Professor Sir Rory Collins said in a message to participants.
“We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers).”
Murray told MPs the government has been told no purchases were made from the three listings on the website.
He said: “The UK Biobank charity informed the government that it had identified that a data had been advertised for sale by several sellers on Alibaba e-commerce platforms in China.”
Alibaba has been contacted for comment.
A spokesperson for the Information Commissioner’s Office said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.
“UK Biobank has made us aware of an incident and we are making enquiries.”
One Biobank volunteer – Guardian columnist Polly Toynbee – told the BBC she was not worried by the data breach.
“Biobank volunteers passionately believe that what they’re doing is incredibly valuable, that having this huge bank of information and data helps cure diseases, helps find causes of diseases,” she said.
“I don’t think many people will be very worried because that information is anonymised.
“Maybe they could sell details of particular cases, but it won’t be with names or addresses or anything that leads back to particular people. So I don’t think this will rattle all the magnificent volunteers who’ve got in for this.”
Breach of contract
Sir Rory told volunteers in his letter the data involved in the incident had been made available to researchers at three institutions.
He said while it was “swiftly” removed by Alibaba, following support from the UK and Chinese government, the data’s appearance on the Chinese e-commerce platform amounted to a “clear breach of the contract signed by these academic institutions”.
“They, along with the individuals involved, have had their access suspended,” Sir Rory added.
His letter said a number of measures had been imposed following the incident.
These included a temporarily suspending access to its research platform while a “strict limit” is imposed on the size of files that can be removed from it, and would monitor file exports daily “for any suspicious behaviour”.
It said there would also be a “comprehensive and forensic board-led investigation of this incident”.
Reacting to Murray’s statement in the House of Commons, Liberal Democrats technology spokeswoman Victoria Collins branded the situation a “profound betrayal” and urged the government to hold UK Biobank accountable.
But Murray said the data being placed on the internet had not occurred through a “leak or cyber-attack”.
“This was a legitimate download by a legitimately accredited organisation,” he said. “That is the problem that’s been identified.”
Reform UK’s deputy leader has branded the breach a “China data theft scandal”.
Richard Tice said: “The UK taxpayer funded £200 million, approximately, for setting up UK Biobank.
“Can the minister confirm that our generosity actually will not be abused by those Chinese researchers and that UK Biobank should preclude and exclude them for the future, in order to ensure that this state of theft comes with sanctions?”
Murray criticised the “tenor” of Tice’s question, saying it did not fit “with the seriousness of this particular issue”, adding that thousands of Chinese researchers have worked with the Biobank “since 2012 safely and securely”.
‘Wider consequence’
The data breach is “not a moment to point fingers, but to take seriously what it tells us about national data infrastructure,” said Prof Elena Simperl, from King’s College London’s department for informatics.
She said initiatives like the UK Biobank are “absolutely essential” in driving innovation in health and life sciences.
“Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought,” Simperl added.
But the data breach could have a “wider consequence” in damaging the confidence of the public in taking part in initiatives such as the Biobank, according to Graeme Stewart, head of public sector at cybersecurity firm Check Point Software.
“It only takes a relatively small drop in participation to start affecting the quality and reliability of research at scale,” he said.
Will Richmond-Coggan of Freeths said “deidentified” data can still be treated as personal data, warning that the detailed nature of the information could risk re-identification of the participants.
Source: bbc.co.uk
Be the first to comment