The UK government has confirmed that the confidential health data of around 500,000 British volunteers was briefly listed for sale on the Chinese platform Alibaba. The “de-identified” information, taken from participants in the UK Biobank research project, appeared in three separate online listings last week.

‍

Despite the severity of the breach, this is not the first time sensitive UK Biobank data has been exposed online; according to The Guardian, it has happened dozens of times, raising ongoing questions about its security measures. Technology Minister Ian Murray told Parliament that, following discussions with Chinese authorities and Alibaba, the listings were taken down and there is no evidence any of the data was sold. Speaking on the incident, Murray said:

“On Monday 20 April, the UK Biobank charity informed the government that it had identified their data had been advertised for sale by several sellers on Alibaba’s e-commerce platforms in China."

Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.”

Whilst Murray confirmed he could not give a complete guarantee that nobody could be identified, as the data could include gender, age, birthdate, socioeconomic status, lifestyle habits and/or measures from biological samples, he insisted to lawmakers that names, addresses, contact details or telephone numbers were not included.

Murray also said the information had been legitimately downloaded by three research institutions in China before it was taken down, and that they have now had their access revoked.

The people involved in the breach were those who agreed to make all their health-related data available for research when they joined the study between 2006 and 2010, to help scientists understand how disease develops. In addition to providing their health data, some of the volunteers also provided body scans using medical imaging equipment, as well as blood, urine and saliva samples.

Murray added: “I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove those listings and the ongoing work to remove any further listings.”

Whilst Murray agreed that the breach was “unacceptable”, he clarified that he did not know how it had happened and that investigations were ongoing.

Professor Rory Collins, chief executive and principal investigator of UK Biobank, which has temporarily suspended all access to its data, said:

“We apologise for the concern this will cause and have already put in place technology, processes and a board-led review to stop this happening again. We have also taken our research platform offline while we add a further upgrade that helps prevent de-identified data being taken out of the platform. We expect this to take three weeks. Our existing plans to implement an automated ‘airlock’ that checks files and data continue at pace.”

Chi Onwurah, chair of the Commons Science, Innovation and Technology Committee, said the “incredibly serious” breach was “yet another blow to public trust at a time when we need the benefits of digitalisation to be embraced by all”.

“It’s really coming to something if we’re having to rely on the Chinese government to keep our data secure,” she said.