Data from the health charity, UK Biobank, was listed for sale by at least three sellers on the Chinese Alibaba e-commerce platform, a UK government minister told Parliament on Thursday.
Ian Murray, Labor MP for Edinburgh South and minister of state for the Department of Science, Innovation and Technology, told parliament the charity first alerted the government to the issue on Monday.
He said the data was no longer listed for sale and it did not appear any buyers would have paid for access, thanking the Chinese government for “the speed and seriousness with which they worked with us to help remove these listings.”
What did the government say on the data being listed for sale on Alibaba?
Murray said the UK Biobank told the government that volunteers have shown at least three listings to sell data to UK charities to improve research capabilities around the world.
“It appears that at least one of these datasets includes data from all 500,000 UK Biobank volunteers,” Murray told the House.
“However, I want to reassure the House that the biobank has advised that this data does not include people’s names, addresses, contact details or telephone numbers,” he said.
He said, “The government has spoken to the seller today, and they do not believe any purchases were made from the three listings before they were removed. Once the government became aware of the situation, we took immediate action to protect participants’ data.”
How did the UK Biobank respond?
The UK Biobank suspended all access to its research platform as a short-term precautionary response to the incident.
Chief executive Rory Collins apologized for the restrictions, saying in a message to participants, “We have temporarily suspended all access to the UK Biobank research platform, while we have imposed a strict limit on the size of files that can be removed from the platform.”
Murray also said that the charity had referred itself to the Information Commissioner’s Office for a review of the incident.
“Second, we ensured that the biobank charity revoked access to the three research institutions identified as the sources of that information,” Murray said.
Collins of Biobank described the actions of the individuals who leaked the information as “a clear breach of the contract signed with UK Biobank” and said, “They, along with their academic institutions, immediately suspended their access.”
The charity is one of the larger “biobanks” – often government-backed projects that seek to collect and aggregate various medical data and samples from around the world, usually on an anonymous basis. The system is often considered one of the most significant breakthroughs in modern biomedical research, facilitating quick and easy access to vast datasets for researchers.
“We are still working with the biobank to find out from them what happened. We have asked them to investigate how this data ended up for online sale as a priority,” Murray told the House of Commons on Thursday.
What more information did the opposition ask for?
Conservative MP Lincoln Jope, who referenced his previous experience in dealing with such data breaches as chief operating officer of a technology company, called the case a “very serious incident”.
“The UK Biobank is an amazing project with thousands of trusted volunteers,” Jope said. He said he hoped the government would support the UK Biobank’s efforts to improve security, “including by scrutinizing the research institutions it trusts.”
He asked Murray whether the research institutes themselves were banned from China and also asked how likely it was that the data was now in the hands of the Chinese government. They also asked whether research institutions in “Russia, Iran or North Korea” were among those with access to UK Biobank records, and what kind of data, if not personal information, was listed for sale.
Murray said examples of the types of more clinically-relevant data could include “gender, age, month and year of birth,” attendance dates, socioeconomic status, lifestyle habits, sleep, diet, mental health and health outcome data, among many other things. The minister said that although the charity could not be “100% assured” that individuals could not be identified using such data, the biobank considered this to be unlikely in most circumstances.
Murray said that as he understood from the charity UK Biobank, Russia, Iran and North Korea were not accredited to access the database.
“The UK Biobank is very strict about who can access, because there is an accreditation process,” Murray said. “But secondly, although in this particular case these three institutions are Chinese, still, along with the British Embassy in Beijing, the Chinese and Alibaba have been very active in helping us to root out whatever comes up. And they are currently going through that process.”
“For example, Yale had its accreditation suspended for a data breach,” Murray said. “So it’s not a country-specific issue, it just happens that in this particular issue, three of the institutions were Chinese.”
Edited by: Alex Berry