UK Biobank health data listed for sale in China, government confirms

Medicalinformation of 500,000 participantsof the UK's health data project, UK Biobank, were offered for sale online in China, the government has confirmed.

Technology minister Ian Murray said information of all members of the database was found listed for sale on the website Alibaba.

Murray told MPs the charity which runs UK Biobank had told the government about the data breach on Monday. He said the information did not include names, addresses, contact details or telephone numbers.

However he said it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.

The Biobank is a collection of health data offered by volunteers which has been used to help improvements in detection and treatment of dementia, some cancers and Parkinson's.

Participants were aged from 40 to 69 when they were recruited between 2006 and 2010.

UK Biobank said it was investigating the incident and thanked the UK and Chinese government, as well as Alibaba, for support and cooperation.

"We understand that the existence of these listings, even temporarily, will be concerning to you," Chief Executive Professor Sir Rory Collins said in a message to participants.

"We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers)."

Murray added the government has been told no purchases were made from the three listings on the website.

He said the listings have since been taken down and also thanked the Chinese government for their cooperation.

He said: "The UK Biobank charity informed the government that it had identified that a data had been advertised for sale by several sellers on Alibaba e-commerce platforms in China."

Alibaba has been contacted for comment.

An spokesperson for the Information Commissioner's Office said: "People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.

"UK Biobank has made us aware of an incident and we are making enquiries."

One Biobank volunteer - Guardian columnist Polly Toynbee - told the BBC she was not worried by the data breach.

"Biobank volunteers passionately believe that what they're doing is incredibly valuable, that having this huge bank of information and data helps cure diseases, helps find causes of diseases," she said.

"I don't think many people will be very worried because that information is anonymised.

"Maybe they could sell details of particular cases, but it won't be with names or addresses or anything that leads back to particular people. So I don't think this will rattle all the magnificent volunteers who've got in for this."

Sir Rory told volunteers in his letter the data involved in the incident had been made available to researchers at three institutions.

He said while it was "swiftly" removed by Alibaba, following support from the UK and Chinese government, the data's appearance on the Chinese e-commerce platform amounted to a "clear breach of the contract signed by these academic institutions".

"They, along with the individuals involved, have had their access suspended," Sir Rory added.

His letter said a number of measures had been imposed following the incident.

These included a temporarily suspending access to its research platform while a "strict limit" is imposed on the size of files that can be removed from it, and would monitor file exports daily "for any suspicious behaviour".

It said there would also be a "comprehensive and forensic Board-led investigation of this incident".

Reacting to Murray's statement in the House of Commons, Liberal Democrats technology spokeswoman Victoria Collins branded the situation a "profound betrayal" and urged the government to hold UK Biobank accountable.

But Murray said the data being placed on the internet had not occurred through a "leak or cyber-attack".

"This was a legitimate download by a legitimately accredited organisation," he said. "That is the problem that's been identified."

Reform UK's deputy leader has branded the breach a "China data theft scandal".

Richard Tice said: "The UK taxpayer funded £200 million, approximately, for setting up UK Biobank.

"Can the minister confirm that our generosity actually will not be abused by those Chinese researchers and that UK Biobank should preclude and exclude them for the future, in order to ensure that this state of theft comes with sanctions?"

Murray criticised the "tenor" of Tice's question, saying it did not fit "with the seriousness of this particular issue".

He added: "There are thousands of Chinese researchers working every day on data from the UK Biobank and other datasets from across the world. They have been doing that since 2012 safely and securely."

Additional reporting by Chris Vallance.

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.