The UK government has paused researcher downloads from the UK Biobank after de-identified participant data was advertised for sale on Alibaba-linked e-commerce platforms in China.
The incident prompted a security review and renewed scrutiny of protections surrounding one of the world’s largest biomedical research databases.
The Biobank is a collection of health data offered by volunteers, which scientists use for research.
UK technology minister Ian Murray told lawmakers on April 23 that UK Biobank had told the government about the breach on April 20.
Three online listings on Alibaba’s e-commerce platforms in China appeared to offer the data, including at least one dataset that appeared to contain information relating to all 500,000 volunteers in the database, he said.
Murray stressed the data did not include participants’ names, addresses, telephone numbers, or direct contact information.
Still, the incident triggered immediate action. Murray said the government worked with the Chinese regime and the vendor to remove the listings.
UK Biobank revoked access for the three research institutions identified as the source of the information and suspended further data downloads pending technical safeguards.
“This has been an unacceptable abuse of the UK Biobank charity’s data, and an abuse of the trust that participants rightly expect,” Murray said.
Murray said the charity has referred itself to the UK’s Information Commissioner’s Office, a data protection watchdog, and has agreed to conduct a rapid board-level review of safeguards. Although the minister emphasized the records were de-identified, he acknowledged some degree of theoretical re-identification risk.
“It would be wrong for me to give 100% assurance—and UK Biobank cannot do so—that someone could not be identified from the data,” he said in response to questions from lawmakers.
Reform UK’s MP Richard Tice characterized the breach as “essentially a China data theft,” and asked whether Chinese researchers should be excluded from future access.
Murray rejected that approach.
“There are thousands of Chinese researchers working every day on data from UK Biobank and other datasets from across the world, and they have been doing that since 2012 safely and securely,” he said.
He argued the issue stemmed from a loophole in controls rather than nationality, and noted Yale University had previously had accreditation suspended over misuse of data, showing the problem was not country-specific.
He said the listings have since been removed.
UK Biobank’s Statement
UK Biobank’s chief executive, Rory Collins, on April 23 apologized for the incident and said the listings were removed before any sales occurred.
“We are putting in place additional security measures to prevent this happening again,” Collins said.
Collins said access to the research platform has been temporarily suspended while limits are imposed on the size of files researchers can export and that all exports are subjected to daily monitoring.
UK Biobank is developing what he described as an automated system designed to prevent de-identified participant data from being taken off the platform without blocking legitimate scientific work.
The system is expected to be in place by the end of 2026.
Friends Read Free
Copy
Facebook
Tweet
