Medical data linked to half a million UK volunteers, held by the research charity Biobank, is said to have been leaked and then put up for sale on one of the Chinese e-commerce giant Alibaba’s websites.

The matter was raised in the UK Parliament on Thursday by Technology Minister Ian Murray.

According to Murray, the Biobank data "had been advertised for sale by several sellers on Alibaba's ecommerce platforms in China."

He added that the charity had said the data "did not contain participants, names, addresses, contact details or telephone numbers," and that Biobank “did not believe that there were any purchases from the three listings before they were taken down."

What is Biobank?

Biobank, a body founded by the Department of Health and medical research charities, scans blood samples and holds genome sequences and lifestyle information of 500,000 volunteers.

It is credited with driving breakthroughs in cancer, dementia, and diabetes research. In February, the government extended Biobank’s access to the volunteers' GP records.

The charity’s chief executive, Professor Rory Collins, blamed the breach on three academic institutions that the researchers worked for, and said that their access to the data has now been suspended.

“Last week, we found that de-identified participant data made available to researchers at three academic institutions was listed for sale on a consumer website in China, owned by Alibaba,” he said.

“With support from both the UK and Chinese governments, Alibaba swiftly removed those listings before any sales were made. This is a clear breach of the contract signed by these academic institutions, and they, along with the individuals involved, have had their access suspended,” he added.

March exposé found health data exposed on “dozens of occasions"

In March, an earlier investigation by The Guardian revealed Biobank’s health data was exposed online “on dozens of occasions.”

The data appears to have been "inadvertently posted online by researchers” and did not include names or addresses. However, it still posed privacy concerns.

One dataset seen by the newspaper found millions of hospital diagnoses and associated dates for 400,000 participants.

At the time, Collins responded on Biobank’s website, saying, “There has not been any hack or data breach of UK Biobank, and if there had been, you would have heard about it from us.”

Following the revelations about Alibaba, Murray told Parliament that he could not guarantee 100% that no one could be identified from the data.

He said datasets, including gender, age, month and year of birth, socio-economic status, lifestyle habits, and measures from biological samples, were included.

The minister added that it would be “wrong for me to assure 100% and UK Biobank could not assure 100% that you could not identify someone from this, but that would be a very advanced way in which that data would have to be used."

Biobank’s mitigations

In response to the most recent events, Collins said that Biobank has taken measures to secure its cloud-based systems.

He said that access to the platform has been suspended while the research body limits the size of files that can be taken off the research platform.

In addition, all files exported from the research platform “will be monitored daily for any suspicious behavior.”

“This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform,” Collins added.

Biobank is also launching an investigation into the incident.

According to Dray Agha, senior manager of security operations at cybersecurity platform Huntress, the breach proves that "security by obscurity" is dead.

.

“When datasets of this scale are advertised on mainstream e-commerce platforms, it signals a bold escalation in how threat actors monetize stolen sensitive information."

Dray Agha, Huntress

“Moving forward, the sector must move beyond traditional perimeters and adopt a Zero Trust architecture where access to sensitive health records is continuously verified, monitored, and restricted, ensuring that a single compromised credential cannot lead to a wholesale data export," Agha added.

A spokesperson for the ICO told Reuters:

"People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law. UK Biobank has made us aware of an incident and we are making enquiries."

---

Unlock more exclusive Cybernews content on YouTube.