The confidential health records of half a million British volunteers have been offered for sale on Chinese website Alibaba, the UK government has confirmed.
The data, belonging to participants in the UK Biobank project, was found for sale on three separate listings last week. The records have now been removed and it is not believed any sales were made.
The latest breach comes after the Guardian revealed last month that UK Biobank data had been exposed online dozens of times and will raise further questions about whether security has been too lax.
Ian Murray, the technology minister, told the Commons: “On Monday 20 April, the UK Biobank charity informed the government that it had identified their data had been advertised for sale by several sellers on Alibaba’s e-commerce platforms in China.
“Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.”
The data found for sale was “de-identified”, meaning it does not include names, addresses or precise dates of birth.
The UK Biobank holds the health data of 500,000 volunteers, including genome sequences, brain scans, blood samples and diagnostic records. Scientists at universities and private companies across the world apply for access and, until late 2024, were free to download data directly on to their own computer systems – something that experts have repeatedly warned posed a security risk.
In February, the health secretary, Wes Streeting, signed a legal direction that allowed the coded GP data of all volunteers’ to be shared with UK Biobank for the first time.
Murray said the government worked with Biobank, the Chinese government and Alibaba to have the listings removed. “I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove those listings and the ongoing work to remove any further listings,” he said.
“Secondly, we ensured that the Biobank charity revoked access to the three research institutions identified as the source of that information. Thirdly, we have asked that Biobank charity pause further access to its data until they have put in place a technical solution to prevent data from its current platform from being downloaded.”
He said Biobank worked with only “accredited organisations and institutions and individual academic researchers”, adding: “This was not a leak. This was a legitimate download by a legitimately accredited organisation.”
UK Biobank has referred itself to the Information Commissioner’s Office.
Prof Rory Collins, chief executive and principal investigator of UK Biobank, said: “We take the protection of participants’ data extremely seriously and do not tolerate any form of data misuse. With support from the UK government, Chinese authorities and Alibaba, three listings for de-identified data were swiftly removed before a sale was made. The actions of these individuals are a clear breach of the contract they signed with UK Biobank and they, along with their academic institutions, immediately had their access suspended.
“We apologise for the concern this will cause and have already put in place technology, processes and a board-led review to stop this happening again. We have also taken our research platform offline whilst we add a further upgrade that helps prevent de-identified data being taken out of the platform. We expect this to take three weeks. Our existing plans to implement an automated ‘airlock’ that checks files and data continues at pace.”
Source: Read Full Article
