UK Biobank patient data stolen and placed on sale in China

News

There has been a major data security lapse at the UK Biobank, with "de-identified" data from its 500,000 volunteers listed for sale in China.

A message to participants in the Biobank, sent from chief executive Prof Sir Rory Collins today, notes that "listings offering access to UK Biobank data …were found on a Chinese consumer website [but] were swiftly removed before any purchases were made."

Initial reports suggest that the data was offered through Alibaba's Taobao platform, the largest online retail platform in China, which has been cited for a number of years as having problems with intellectual property (IP) protection in the US Trade Representative (USTR) annual 'Notorious Markets' report.

It is understood that the breach did not reveal any personal data, such as names, addresses, contact details, and NHS numbers, but the breach appears to have exposed data that would normally be accessible only by vetted, bona fide researchers from academic, charity, government, and commercial organisations.

According to the UK government, the breach seems to have originated from research organisations granted access to the data legitimately, rather than a hacker group, and that access by these groups has now been revoked.

Last year, news that one in five data access requests came from Chinese research groups sparked a warning from MI5, reported by The Guardian, about concerns that they may share data with Chinese intelligence agencies.

While Collins said that measures had been taken to make sure that this type of incident cannot occur again, including an upgrade that helps prevent de-identified data being taken out of the platform, the breach could dent confidence in the security of health information, just as the UK government is preparing to launch a data-sharing initiative for records held by GPs to other organisations, including the Biobank.

The Minister for Science, Innovation, and Technology, Ian Murray, told Parliament this today that at least three listings had appeared offering the data, including one that appeared to "contain data from all 500,000 UK Biobank volunteers."

He added that "additional listings offered support for applying for legitimate access to UK Biobank or analytical support for researchers who already have access to the data," and indicated that – based on discussions with the listings website owner – there had been no recorded sales of the information.

At the moment, it's not clear if the data is also being offered for sale through other channels, including the Dark Web.

A pause has been placed on access to the Biobank while a technical solution is implemented to "prevent data from its current platform from being downloaded in this way again," said Murray.

He added: "This has been an unacceptable abuse of the UK Biobank charity's data and an abuse of the trust that participants rightly expect when sharing their data for research purposes," and said the government will be issuing new guidance on control of data from research studies.

Studies conducted using Biobank data have already yielded important new findings, such as the discovery of genes that affect the risk of heart disease or cancer, new ways to predict dementia, and early warning signals for cancers and Parkinson's disease.

Market Access
12 questions with: Daniel Kohlstaedt

12 questions with: Daniel Kohlstaedt

Daniel Kohlstaedt, managing director of PurpleLeaf Strategy, with more than 18 years of experience in pharma, talks about his journey through the industry.