UK Biobank data exposed

UK Biobank said on April 23 that de-identified participant data was exposed after listings offering access appeared on a Chinese consumer website. (ukbiobank.ac.uk) The charity said the listings involved data previously made available to researchers at three academic institutions, and that Alibaba removed the listings before any purchases were made. UK Biobank said names, addresses, dates of birth and National Health Service numbers were not included. (ukbiobank.ac.uk) Technology minister Ian Murray told the House of Commons on April 23 that the data had been advertised for sale by several sellers on Alibaba’s platforms in China. Sky News reported Murray said the records covered all 500,000 volunteers in the database and included gender, age, month and year of birth, socioeconomic status, lifestyle habits and measures from biological samples. (news.sky.com) UK Biobank is one of Britain’s biggest long-running health research projects. It recruited 500,000 people across the UK between 2006 and 2010 and has continued collecting data from existing participants for research on diseases including dementia, cancer and Parkinson’s. (ukbiobank.ac.uk; news.sky.com) The system is built around “de-identified” data, meaning direct identifiers are stripped out before researchers get access. UK Biobank says approved researchers are supposed to work inside a restricted cloud platform in the UK, under contracts that bar attempts to identify participants. (ukbiobank.ac.uk; ukbiobank.ac.uk) That model has been under pressure for weeks. On March 14, UK Biobank said some researchers had unintentionally put portions of de-identified participant data into public code repositories when sharing software used in their studies. (ukbiobank.ac.uk) The April 23 disclosure goes further than that March notice. UK Biobank said the new incident was a contract breach by the three institutions involved, suspended their access along with the individuals involved, and temporarily suspended all access to its research platform while it tightens export controls. (ukbiobank.ac.uk) The charity said it is now imposing a strict limit on the size of files that can be taken off the platform and will monitor all exported files daily for suspicious activity. Its public data-protection page already warned that participants “cannot always” be protected completely from re-identification risks, even though direct identifiers are withheld. (ukbiobank.ac.uk; ukbiobank.ac.uk) The government said Chinese authorities helped remove the listings, and Murray said the nationality of the three institutions should not be taken on its own as proof of intent. UK Biobank said it will carry out a comprehensive investigation as it tries to restore trust in a dataset used by researchers around the world. (theregister.com; ukbiobank.ac.uk)