The British government is investigating how health data volunteered to a charity for research purposes wound up for sale via three vendors on the Alibaba e-commerce site in China. One listing had 500,000 people's data.
https://p.dw.com/p/5CiUKBiobanks, in this case in Paris, collect, collate, store and manage samples and health data en masse, making the anonymized data available to accredited researchers Image: Thomas Samson/AFPAdvertisementA UK government minister told Parliament on Thursday that data from a health charity, UK Biobank, was briefly listed for sale by at least three vendors on the Chinese Alibaba e-commerce platform.
Ian Murray, the Labour MP for Edinburgh South and a minister of state at the Department of Science, Innovation and Technology, told Parliament that the charity first alerted the government to the issue on Monday.
He said that the data was no longer listed for sale and that no buyers were thought to have paid for access, thanking the Chinese government for the "speed and seriousness with which they worked with us to help remove these listings."
Murray said that UK Biobank told the government of at least three listings appearing to sell data that volunteers had provided to the UK charity in a bid to improve research capabilities worldwide.
"At least one of these datasets appeared to contain data from all 500,000 UK Biobank volunteers," Murray told the House.
"I want to reassure the House up front, however, that Biobank have advised that this data did not contain people's names, addresses, contact details, or telephone numbers," he said.
"The government has spoken to the vendor today, and they do not belive there were any purchases from the three listings before they were taken down. Once the government was aware of the situation, we took immediate action to protect participants' data," he said.
UK Biobank suspended all access to its research platform as a short-term precautionary response to the incident.
"We have temporarily suspended all access to the UK Biobank research platform, while we put in place a strict limit on the size of files that can be taken off the platform," chief executive Rory Collins said in a message to participants apologizing for the restrictions.
Murray also said that the charity had referred itself to the Information Commissioner's Office for a review of the incident.
"Secondly, we ensured that the Biobank charity revoked access for the three research institutions identified as the source of that information," Murray said.
Biobank's Collins described the actions of the individuals leaking information as "a clear breach of the contract they signed with UK Biobank," saying "they, along with their academic institutions, immediately had their access suspended."
The charity is one of the larger "biobanks" — often government-supported projects seeking to collect and collate various medical data and samples, typically on an anonymized basis — in the world. The systems are often hailed as being among the most important breakthroughs in modern biomedical research, facilitating rapid and easy access to vast datasets for researchers.
"We are still working with Biobank to ascertain from them the specific detail of what has happened. We have asked them to investigate how this data ended up for sale online as a priority," Murray told the House of Commons on Thursday.
Conservative MP Lincoln Jopp, who made reference to his past experience in handling such data breaches as the chief operations officer for a tech company, called the case a "very grave incident."
"UK Biobank is an amazing project with thousands of trusting volunteers," Jopp said. He said he hoped the government would support UK Biobank's efforts to improve security, "including vetting the research institutes which it trusts."
He asked Murray whether the research institutes banned had been from China themselves and also asked how likely it was that the data was now in the hands of the Chinese government. He also asked whether research institutes from "Russia, Iran or North Korea" were among those with access to UK Biobank records, and what kind of data had been listed for sale if not personal information.
Murray said examples of the type of more medically-relevant data that might have been taken included "gender, age, month and year of birth," attendance dates, socioeconomic status, lifestyle habits, sleep, diet, mental health and health outcomes data, among several other things. The minister said that while the charity could not "assure 100%" that individuals could not be identified using such data, Biobank considered the likelihood to be low in most circumstances.
Murray said that as he understands from the charity UK Biobank, Russia, Iran and North Korea were not accredited for access to the database.
"UK Biobank are very strict about who can access, because there is an accreditation process," Murray said. "But secondly, although these three institutions are Chinese in this particular instance, again, the Chinese and Alibaba have been very proactive in helping us, with the British Embassy in Beijing, to take down and whack-a-mole anything else that comes up. And they're currently going through that process."
"Yale, for example, had their accreditation suspended for a breach of data," Murray said. "So this is not a country-specific issue, it just so happens in this particular issue, the three institutions were Chinese."
