Observer: UK Biobank breach could spark an 'arms race' in misuse of genetic data

UK Biobank said on April 23 that data from its 500,000 volunteers had been advertised for sale on Alibaba after access granted to three academic institutions was abused. (ukbiobank.ac.uk) (gov.uk) UK Biobank is a British research charity that stores genetic, health and lifestyle records donated by volunteers and shares them with approved researchers studying disease. The database has been used since 2012 and UK Biobank says it has supported thousands of findings on cancer, dementia, Parkinson’s and heart disease. (ukbiobank.ac.uk) (gov.uk) The records were described as de-identified, meaning names, addresses, contact details and National Health Service numbers were not included in the files offered for sale. Technology minister Ian Murray told the House of Commons that at least one listing appeared to contain data from all 500,000 participants. (gov.uk) That does not make the data harmless. UK Biobank’s own privacy guidance says a participant who has posted genealogy or health information publicly could be identified by cross-referencing that material with research data. (ukbiobank.ac.uk 1) (ukbiobank.ac.uk 2) Researchers have shown for years that genetic records can be traced back to people by combining DNA clues with outside databases. A 2013 Science paper demonstrated surname inference from genome data and other metadata, and later reviews described genomic privacy as a continuing technical and legal problem. (psycnet.apa.org) (nature.com) The immediate breach was not a classic outside hack. UK Biobank and the government both said the data had been made available under contract to three academic institutions, then appeared on Alibaba in breach of those agreements. (ukbiobank.ac.uk) (gov.uk) That distinction matters because UK Biobank’s system was built around approved access inside a restricted cloud platform rather than open downloading. After the listings were found, the charity paused all platform access, imposed strict limits on file exports and said every exported file would be monitored daily for suspicious behavior. (ukbiobank.ac.uk 1) (ukbiobank.ac.uk 2) Ministers said the three Alibaba listings were removed with help from Alibaba and the Chinese government, and the government said it did not believe any purchases were made before takedown. UK Biobank also revoked access for the institutions and the individuals involved. (gov.uk) (ukbiobank.ac.uk) The Observer’s warning about an “arms race” points to what can happen after a first leak: copied files, secondary sharing, and attempts to match “anonymous” records to real people using outside data. UK Biobank’s own rules already say research must not cause harm, including discrimination or marginalisation of groups. (observer.co.uk) (ukbiobank.ac.uk) The next test is whether tighter export controls and monitoring can keep a database built for global research open without letting approved access turn into a resale market. UK Biobank says a full investigation is under way. (ukbiobank.ac.uk)