A major health research charity has referred itself to the Information Commissioner’s Office after its data was found advertised on a Chinese e-commerce website owned by Alibaba.
The ICO is making enquiries relating to the incident and the UK government has been alerted to the data breach.
UK Biobank started making de-identified data available for research in 2012 to help scientists find better ways to diagnose, prevent and treat diseases.
According to the charity, accredited researchers accessing the data must go through a rigorous access review process and their institutions must also sign a contract committing to keep the data secure.
But last week, the charity’s chief executive Sir Rory Collins said the charity had found that de-identified participant data that had been made available to researchers at three academic institutions had been listed for sale on a consumer website in China.
In the House of Commons last week, minister of state Ian Murray said that “at least one of the three datasets appeared to contain data from all 500,000 UK Biobank volunteers”.
But he said that the charity had advised the data did not contain names, addresses, contact details or phone numbers.
Collins said that with support from the UK and Chinese governments, Alibaba “swiftly removed” the listings before any sales had been made.
In his statement, Collins said the leak was a “clear breach of contract” by the academic institutions involved and that they, along with the individuals involved, have had their access suspended.
The charity said it had suspended all access to its research platform while it puts in place a strict limit on the size of files that can be taken off the platform.
“This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform,” Collins said.
He said that all files exported from the platform would be monitored daily for any suspicious behaviour.
“In addition, we will conduct a comprehensive and forensic board-led investigation of this incident,” Collins said.
Murray told MPs that the incident was an “unacceptable abuse of the UK Biobank charity’s data, and an abuse of the trust that participants rightly expect when sharing their data for research purposes”.
He said the government takes the incident “extremely seriously”, adding that it will soon be issuing new guidance on control of data from research studies.
A spokesperson for the ICO said that UK Biobank had made it aware of an incident and that it was making enquiries.
The spokesperson said: “People’s medical data is highly sensitive information; not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.
“When organisations are sharing forms of personal information for research purposes, they must use appropriate security measures such as pseudonymisation with appropriate controls in place to prevent against unauthorised disclosure.”