The UK Biobank holds de-identified biological samples and health data of 500,000 volunteers – used to advance cancer, dementia and Parkinson’s care. 

But Technology Minister Ian Murray announced today there has been a large-scale data breach which resulted in highly confidential information being leaked.

The data have been found for sale on three separate listings on the Chinese e-commerce site Alibaba on Monday April 20th.

“At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers,” Murray told the House of Commons. 

“Additional listings offer support for applying for legitimate access to UK Biobank or analytical support for researchers who already have access to the data.

“I want to reassure the House up front however, that Biobank has advised that these data did not contain participants, names, addresses, contact details or telephone numbers.”

He added that the Government has today spoken to the vendor and does not believe there were any purchases from the three listings before they were taken down.

But according to reporting by the Times, Government sources have slammed the Biobank’s security arrangements, labelling them “extremely lax”. 

Responding to the news, Dame Chi Onwurah, Science, Innovation and Technology Committee Chair, said: “It’s deeply concerning to learn that the highly sensitive data held by the biobank has not been subject to proper controls.

“My committee has carried out extensive scrutiny of public sector information security and data hygiene, and in February Ian Murray and Government officials assured us that standards would improve, and public data would be better protected.

“Today’s statement, however, demonstrates just how little progress has been made. 

“It raises serious questions about whether lessons have been learned from repeated data breaches and leaks, and whether robust data management practices are being enforced at publicly funded bodies. 

“Public trust in the handling of sensitive data is handled [sic] is key to the Government’s digital transformation ambitions. This is another blow to public confidence.”

But Professor Sir Rory Collins, Chief Executive and Principal Investigator at Biobank, maintains it takes data protection “extremely seriously”.

“Last week, we found that de-identified participant data made available to researchers at three academic institutions were listed for sale on a consumer website in China, owned by Alibaba,” he said. 

“This is a clear breach of the contract signed by these academic institutions and they, along with the individuals involved, have had their access suspended.”

Datasets including gender, age, month, birth year, socio-economic status, lifestyle habits and measures from biological samples were included in the breach. 

As a result, Murray said he could not guarantee that no one can be identified from the data.