Incident Overview
The head of UK Biobank, Professor Sir Rory Collins, has attributed a recent data breach involving medical information of 500,000 participants to "a few bad apples." The incident involved datasets containing de-identified volunteer information, which were made available to researchers at three academic institutions and were found listed for sale on Alibaba, a Chinese website, last week, according to a government statement released on Thursday.
The listings were "swiftly" removed before any transactions occurred, but the charity now faces scrutiny regarding the circumstances that allowed the incident to happen.
Sir Rory expressed his feelings about the situation during an interview with the BBC, stating he was both "angry" and "upset." He confirmed that the institutions involved have been banned from the Biobank platform.
Furthermore, the organisation has temporarily suspended all access to its online research platform, effectively "putting science on hold," while it implements additional controls designed "to prevent anything like this happening again."
About UK Biobank
UK Biobank is a repository of health data contributed by volunteers across the UK. This resource has been instrumental in advancing detection and treatment methods for conditions such as dementia, various cancers, and Parkinson's disease.
The Biobank's online research platform permits scientists affiliated with approved academic institutions worldwide to access datasets containing de-identified medical information about participants for research purposes.
"In this case, a few bad apples have taken those data off the platform and they have listed the data for sale," Sir Rory told BBC Radio 4's Today programme.
"By working swiftly with the UK government and the Chinese government, and we're really grateful for their help, we have been able to get those listings removed before any data were sold."
Identification Concerns and Data Details
Technology Minister Ian Murray informed Members of Parliament in the House of Commons on Thursday that the data involved did not include participants' names, addresses, contact details, or telephone numbers.
However, the data could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measurements derived from biological samples.
UK Biobank has collected detailed information—including whole-body scans, DNA sequences, and medical records—from hundreds of thousands of volunteers over more than two decades. Participants were aged between 40 and 69 when recruited between 2006 and 2010.
When questioned about the possibility of participant identification through the shared datasets, Sir Rory stated it was "impossible" to completely rule out identification by combining de-identified data with other information. Nonetheless, he emphasized there is no evidence that such identification has occurred.
The organisation has voluntarily referred itself to the UK's data regulator, the Information Commissioner's Office (ICO).
An ICO spokesperson confirmed on Thursday that the office has been informed of the incident and is conducting inquiries.
"People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law," the spokesperson said.
Jon Baines, a senior data protection specialist at the law firm Mishcon de Reya, commented that the ICO will likely seek to verify that volunteer information is genuinely de-identified and thus does not constitute personal data under UK law.
Investigation and Future Safeguards
The organisation announced plans for a "comprehensive and forensic board-led investigation of this incident."
Sir Rory acknowledged that while there is always more that could be done to prevent misuse, the Biobank must balance the availability of data for scientific discovery with the need to protect it.
"UK Biobank has allowed discoveries to be made that otherwise would never have emerged about how to prevent and treat diseases like dementia," he told Today.
"The balance then is how do put in place safeguards to allow that to go on, while doing it in a secure way."
Readers are encouraged to for the Tech Decoded newsletter to stay informed about major technology stories and trends worldwide. Those outside the UK can via a separate link.
