Half a million Biobank members had data listed for sale, minister says

The Biobank is the world’s most comprehensive dataset of biological, health and lifestyle information. It has been used to achieve improvements in detection and treatment of dementia, cancers and Parkinson’s.

Mr Murray told MPs the charity which runs Biobank had told the Government about the data breach on Monday. He said the information did not include names, addresses, contact details or telephone numbers.

Mr Murray said the information had been legitimately downloaded by three research institutions in China. They have since had their access revoked. The Government is working to establish how the breach occurred.

Ministers have been told that no purchases were made from the three listings on the website. They have been taken down and Mr Murray thanked the Chinese Government for their co-operation.

Chief executive of Biobank Sir Rory Collins said the charity had temporarily closed access to the research platform.

Sir Rory apologised to participants and said additional security measures will be put in place.

Speaking in the Commons, Mr Murray said: “The UK Biobank charity informed the Government that it had identified their data had been advertised for sale by several sellers on Alibaba e-commerce platforms in China.

“Biobank told us that in three listings that appeared to sell… Biobank participation data had been identified. At least one of these three data sets appear to contain data from all 500,000 UK Biobank volunteers.”

Biobank says it removes personal identifying information such as names and addresses on all 500,000 volunteers before giving scientists access to the data.

This means details including names, addresses, dates of birth and NHS numbers are not contained in the data.

However Mr Murray said the data involved in the breach could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.

He said he could not give a complete guarantee that nobody could be identified, but said it would likely only be done so through a “very advanced way”.

Those joining UK Biobank were between 40 and 69 years of age when they joined the study between 2006-2010.

Data from it has been cited in more than 18,000 peer-reviewed scientific papers, including on major causes of ill-health.

These range from lung and cardiovascular conditions, to mental health conditions and arthritis.

A statement from its chief executive and principal investigator Sir Rory Collins apologised to volunteers and said: “We apologise to our participants for the concern this will cause, and we hope to provide reassurance by outlining the serious actions we are taking in response.

“Your personally identifying information in UK Biobank is safe and secure.”

He added: “We are putting in place additional security measures to prevent this happening again. We will conduct a comprehensive investigation into this incident.”

Mr Murray said the breach was an “unacceptable abuse of the UK Biobank charity’s data and abuse of the trust that participants readily expect when sharing the data for research purposes”.

He said: “The Government takes this incident extremely seriously which is why we have acted rapidly to support the UK Biobank charity in their response and why I wanted to update the House at this earliest opportunity.

“The Government will soon be issued new guidance on controlling data from research studies, and I’d like to take this opportunity once again to urge all businesses and charities to ensure their systems and data sharing processes are as secure as possible.

“We wrote out to businesses last week about the cyber security tools available to them for free from Government and the steps they should take to maximise security. Ensuring the safe use of UK Data is a priority for this Government.”

Luc Rocher, associate professor from the Oxford Internet Institute, University of Oxford, said: “This is the 198th known exposure of UK Biobank data since last summer.

“UK Biobank data is not just available for sale, it also remains available online for anyone to download today.

“Researchers have, in the past, repeatedly and accidentally uploaded datasets to online code-sharing platforms, and many of these files are now replicated across the web.

“UK Biobank has sought to downplay the importance of such exposures, stating that data are ‘de-identified’ and free of ‘personally identifying information’, and that no participant has been unwillingly re-identified.

“Last month, The Guardian correctly identified a single participant from just two easily known facts.

“The actions being taken today are inadequate to take down data from the web, and cannot protect the 500,000 participants whose intimate health records have been exposed (for the) 198th time this year.”

Professor Elena Simperl, Department of Informatics, King’s College London, said: “What happened here was an infrastructure problem, not the result of a complex cyber attack.

“Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought. The UK has built something remarkable, but we need to keep investing in keeping it safe.”

Professor Andrew Morris, director of Health Data Research UK, said: “To find data for sale on a website in China will be greatly concerning for participants.

“Even with all identifying information removed from the data, this is still sensitive data and a serious data breach.”

He said he pleased by the “rapid action” taken, adding: “Health research using large de-identified datasets is delivering great advances in the prevention, diagnosis and treatment of diseases affecting millions of people in the UK and globally.

“UK Biobank has been at the vanguard of many of these discoveries. But such research is only possible with the trust of participants in how their data is handled.”