500,000 UK volunteers’ medical data listed for sale on Alibaba

Medical data from around 500,000 British volunteers in the health research project, the UK Biobank, was offered for purchase through the Chinese marketplace Alibaba, the British government has confirmed.

More than 22,000 researchers from over 60 countries use data from the UK Biobank to study disease development and improve global public health. The dataset comprises genetic data, clinical records, biological samples, and lifestyle-related information.

The UK Biobank states on its website that access to its data is governed by strict legal agreements that prohibit researchers from attempting to identify participants. However, it also recognises that absolute confidentiality cannot always be ensured.

Technology minister Ian Murray told the House of Commons that the UK Biobank had identified three online listings appearing to offer participant data for sale. He noted that at least one dataset seemed to include information relating to all 500,000 volunteers.

In addition, some listings promoted services such as assistance with obtaining legitimate access to the Biobank or providing analytical support to approved researchers.

He also reassured Parliament that the data did not include direct personal identifiers, such as names, addresses, or contact details.

“Firstly, we worked with Biobank, the Chinese government and the vendor to ensure that those three listings that UK Biobank informed us included participant data had been removed. I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove these listings and ongoing work to remove any further listings,” Murray said.

He added that the government ensured that the UK Biobank revoked access for the research institutions identified as the source of the data.

The minister said that the government will soon issue new guidance on the handling of data from research studies and urged organizations to ensure that their systems and data-sharing processes are as secure as possible.

The UK Biobank also issued a statement regarding the incident, apologising to participants and assuring that steps would be taken to prevent similar breaches in the future.

“In light of this incident, we are taking further steps to enhance our systems to prevent this from happening again,” said Professor Sir Rory Collins, Chief Executive and Principal Investigator of UK Biobank.

“We have temporarily suspended all access to the UK Biobank research platform, while we put in place a strict limit on the size of files that can be taken off the platform. This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform.”

Collins further stated that the data did not include any personally identifiable information, echoing the minister’s earlier remarks.

The Guardian had already reported that confidential UK Biobank data had been exposed on previous occasions. An investigation published in March found that confidential health data had been exposed online on multiple occasions, often after researchers unintentionally uploaded datasets to public GitHub repositories, making the information publicly accessible.

Although the data did not include direct identifiers, experts warned that individuals could still be identified by linking it with other publicly available information.

“People who generously share their health data to benefit others through medical research rightly expect it to be kept safe and for there to be accountability when things go wrong,” said The National Data Guardian, Dr Nicola Byrne.

“Given this, I am profoundly concerned to learn that the confidential data participants entrusted to UK Biobank in good faith has been found available for sale online,” Byrne concluded.