There have been further listings of confidential health records of UK volunteers on the Chinese website Alibaba since the breach reported last week, and the government is braced for further leaks, the science minister has said.
Addressing a House of Lords debate on the attempted sale of data belonging to 500,000 UK Biobank volunteers, Patrick Vallance said the government had worked with Chinese officials to remove additional postings on the online marketplace.
“New listings will emerge – there have been additional listings posted since the government were made aware of the issue last week – and we continue to work with the Chinese government to remove them quickly,” Lord Vallance said.
The data is “de-identified”, meaning it does not include names, addresses or precise dates of birth. Vallance said there was a “low probability” of re-identification, but the breach should nonetheless serve as a “real wake-up call” for researchers.
“It is increasingly possible to triangulate in large datasets and get close to identification, and that remains a very real risk,” he said.
Last month, the Guardian was able to re-identify a single participant in a different UK Biobank dataset that had been leaked online using just their date of birth and the data of an operation.
The technology minister Ian Murray made an emergency statement last Thursday which revealed that half a million participants in the UK Biobank project had had their health data put up for sale on Alibaba. UK Biobank learned of the breach from an anonymous whistle-blower. The data has since been taken down and officials do not believe there were any sales. All access to UK Biobank data has been temporarily suspended.98
Vallance named the three Chinese institutions, whose researchers are understood to be behind the postings, as the Second Xiangya hospital, China-Japan Union hospital, and Beijing Chaoyang hospital.
Vallance praised the altruism of UK Biobank volunteers, whose data he said had paved the way for discoveries of genes that affect the risk of heart disease or cancer, and new ways of predicting dementia and understanding Covid-19.
“I end by saying again how important UK Biobank is, how unique it is worldwide in its breadth and depth of coverage, and how appalling it is that this leak occurred,” Vallance said. “We must make absolutely sure that this risk is eliminated going forward by making sure that a secure data environment is put in place.”
In addition to the Alibaba posts, the UK Biobank has taken action on at least 30 other data breaches in the past month, according to Dr Luc Rocher, a researcher at the Oxford Internet Institute, who has been tracking data breaches. Some of the data, including a detailed dataset relating to 96,000 volunteers that appears to have been accidentally uploaded by a masters student at Yale University, remains online. UK Biobank said it had asked for the data be removed and that it should be completed shortly.
Chi Onwurah, the chair of the Commons science, innovation and technology committee, said: “I’m astounded that that data is still available online. UK Biobank have been complacent about the half a million British people who have shared their most intimate and personal data with them and who deserve better than this.”
A government spokesperson said: “We are aware of reports that unauthorised data from UK Biobank – a health research charity independent of government – is being made available online following a leak which was reported last month. As you would expect, we are working with UK Biobank to understand its origin and extent of this data, and to ensure they are taking proactive steps to get it removed.”
