ronstik - stock.adobe.com
Medical data of half a million Britains on sale in China after Biobank breach
Biobank operator is taking steps to improve security after biological, health and lifestyle information from its database was offered for sale on a Chinese website
Medical data belonging to half a million British citizens has been offered for sale on a Chinese website following a security breach at health information database UK Biobank.
Technology minister Ian Murray said that data obtained from UK Biobank had been advertised for sale by several sellers on Alibaba e-commerce platforms in China, in what he called an “unacceptable abuse”.
UK Biobank, a non-profit charity, collects medical data provided by volunteers and shares it with researchers around the world to further medical research in cancer, heart disease and ways of predicting dementia.
The charity informed the UK government on Monday that it had identified anonymised data from its volunteers for sale by three sellers on Alibaba, including at least one listing that appeared to offer anonymised data from its 500,000 volunteers.
Unacceptable abuse of data
“This has been an unacceptable abuse of the UK Biobank charity’s data and an abuse of the trust that participants rightly expect when sharing their data for research purposes,” Murray said in a statement to Parliament.
UK Biobank has assured its volunteers that the data contained no participants’ names, addresses, contact details, or telephone numbers. The charity does not believe that any of the data was sold.
UK Biobank said it had now revoked access to research institutions identified as the source of the breach of its UK data cloud.
Murray said the UK government had worked quickly with Biobank, the Chinese government and Alibaba to take down the listings offering the data.
“We have asked the Biobank charity to pause further access to its data until they have put in place a technical solution to prevent data from its current platform from being downloaded in this way again,” he said.
Biobank will improve security
Rory Collins, chief executive of Biobank, told volunteers in a statement that personally identifiable information (PII) was safe and that it would put additional security measures in place to prevent the incident from happening again.
He said that researchers go through a rigorous access review process and institutions sign a contract committing to keeping data secure before they are given access to Biobank.
“This is a clear breach of the contract signed by these academic institutions, and they, along with the individuals involved, have had their access suspended,” he added.
Biobank has temporarily suspended all access to its UK cloud-based research platform, and plans to introduce a limit on the size of files that can be taken off the platform. It will also monitor files exported from the platform for suspicious behaviour.
The charity said it was developing an automated checking system to prevent de-identified data from being taken off its research platform, while still allowing scientists to conduct research. The system will be in place by the end of the year.
UK government to issue guidance
Murray said the government would soon be issuing guidance on controlling data from research studies, and urged businesses and charities to ensure their systems and data-sharing processes are as secure as possible.
The charity has reported the incident to the Information Commissioner’s Office (ICO).
An ICO spokesperson said: “People’s medical data is highly sensitive information. Not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. UK Biobank has made us aware of an incident, and we are making enquiries.”
