Biobank data leak caused by ‘a few bad apples’, boss tells BBC

A significant data breach at the UK Biobank, a vast repository of health information from hundreds of thousands of UK volunteers, has been attributed by its chief executive to the actions of a small number of individuals. Datasets containing de-identified information about its volunteers, which had been made available to researchers at three academic institutions, were discovered for sale on the online marketplace Alibaba last week. The government confirmed the incident, stating that the listings were "swiftly" removed before any transactions could occur, but the charity is now facing intense scrutiny regarding the security protocols that allowed such a breach.

Professor Sir Rory Collins, Biobank’s chief executive and himself a participant in the initiative, expressed his profound disappointment and anger over the incident. Speaking to the BBC, he revealed that the institutions involved have been permanently banned from accessing Biobank’s platform. In response to the breach, Biobank has taken the drastic step of temporarily suspending all access to its online research platform. This pause, described by Sir Rory as "putting science on hold," is necessary to implement enhanced security controls designed to prevent any recurrence of such an incident.

The UK Biobank is a cornerstone of medical research, housing comprehensive health data donated by volunteers across the UK. This invaluable resource has been instrumental in advancing the understanding and treatment of a range of debilitating diseases, including dementia, various forms of cancer, and Parkinson’s disease. The charity’s online research platform is designed to provide secure access to these de-identified datasets for approved academic institutions worldwide, enabling scientists to conduct groundbreaking research. "In this case," Sir Rory explained to the BBC Radio 4’s Today programme, "a few bad apples have taken those data off the platform and they have listed the data for sale." He elaborated on the swift international cooperation that led to the removal of the listings, stating, "By working swiftly with the UK government and the Chinese government, and we’re really grateful for their help, we have been able to get those listings removed before any data were sold."

The nature of the leaked data has raised concerns about potential identification of participants. Technology minister Ian Murray informed MPs in the House of Commons that the compromised datasets did not include directly identifying information such as names, addresses, or contact details. However, he acknowledged that the data could encompass sensitive information like gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measurements derived from biological samples.

The scale of Biobank’s data collection is immense. Over the past two decades, it has amassed intimate health details from hundreds of thousands of volunteers, including comprehensive whole-body scans, DNA sequences, and detailed medical records. Participants were originally recruited between 2006 and 2010, when they were aged between 40 and 69.

When questioned about the possibility of participants being identified through the recombination of de-identified data with other available information, Sir Rory conceded that it was "impossible" to entirely rule out such a scenario. However, he emphasized that there was currently no evidence to suggest that any such identification had occurred.

In light of the breach, Biobank has proactively referred the incident to the UK’s data protection regulator, the Information Commissioner’s Office (ICO). A spokesperson for the ICO confirmed that they have been informed of the incident and are currently conducting inquiries. "People’s medical data is highly sensitive information," the spokesperson stated, "not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law."

Jon Baines, a senior data protection specialist at the law firm Mishcon de Reya, commented on the ICO’s likely course of action, suggesting that the regulator would focus on verifying whether the volunteer information was indeed truly de-identified and therefore did not constitute personal data under UK law.

In parallel with the regulatory investigation, Biobank has initiated its own "comprehensive and forensic board-led investigation of this incident." Sir Rory acknowledged that while the organisation continuously strives to improve its security measures, there is always room for enhancement. He highlighted the delicate balance Biobank must maintain between facilitating vital scientific discovery and ensuring the robust protection of its participants’ data. "UK Biobank has allowed discoveries to be made that otherwise would never have emerged about how to prevent and treat diseases like dementia," he told the Today programme. "The balance then is how do you put in place safeguards to allow that to go on, while doing it in a secure way."

The incident underscores the persistent challenges in safeguarding large-scale sensitive datasets, even when robust de-identification measures are in place. The trust placed in Biobank by its volunteers is paramount, and the organisation’s response, including the temporary suspension of its platform and the commitment to a thorough investigation, signals its intent to address the vulnerabilities exposed by this breach and rebuild confidence in its data security practices. The outcome of the ICO’s investigation will be crucial in determining the full extent of Biobank’s compliance with data protection regulations and the appropriate measures to prevent future breaches. The long-term impact on scientific research, which relies heavily on access to such comprehensive datasets, remains a significant consideration as Biobank navigates this challenging period. The commitment to transparency and accountability will be key to the organisation’s ability to continue its vital work in advancing global health research.