select search filters
briefings
roundups & rapid reactions
Fiona fox's blog
Scientists comment on a UK Biobank data breach where data was offered for sale online in China.
Professor Ewan Birney CBE FRS FMedSci, Director of EMBL-EBI, said:
“The participants who donated their samples and time and authorised access to their healthcare records is the core of UK BioBank and it must be very concerning to hear of this release of their anonymised data on a chinese commerical website. Although the datasets come thoroughly deidentified, and that UK BioBank and the Chinese authorities acted very quickly, it is still concerning and entirely correct that UK BioBank is auditing their access procedures and processes due to this.
“UK BioBank is the most impactful large scale cohort in the world due to its scale, the richness and consistency of the measurements taken on the individuals, including high end imaging techniques and extentsive genomic sequencing, the excellent longitudinal data provided by the NHS and the responsiveness of participants to surveys asking about health and health related aspects of their life. Many thousands of discoveries have been made using the dataset from understanding the fundamental biology of everyday life of humans through to why particular people are far more likely to get particular diseases. The success of this cohort depends on the ongoing trust and commitment from the participants, and I fully support UK Biobank’s review and response to this data breach.”
Prof Cathie Sudlow, Chair of Neurology and Clinical Epidemiology, Director of the Usher Institute, Head of the School of Population Health Sciences and Director of the UKRI Adolescent Health Study, University of Edinburgh, said:
“A proportionate response to this situation, balancing risks versus benefits, is crucial. The tangible public benefits that have already arisen – and will continue to arise – from research discoveries using UK Biobank resources are huge. There is no room for complacency in responding to any potential threat to the privacy and security of research participants’ data. And it is clear from UK Biobank’s rapid response to this issue, supported by both the UK and Chinese Governments, that they take their responsibilities to their participants extremely seriously. These responsibilities include putting in place mechanisms to protect participants’ confidential data, such as providing access to de-identified data for approved research within a secure data environment. They also include ensuring that the data and samples that participants have provided can continue to be used, safely and securely, to enable research discoveries that will benefit millions of people around the world.
“The data breach in this case does not involve any information from which people can be directly identified. This is very different from a data breach arising from, for example, a hack of a healthcare system, where bad actors may obtain and then place – or threaten to place – directly identifying information such as people’s names and addresses, together with clinical information, in the public domain. In the current situation, bad actors have breached their legally binding agreement with UK Biobank, presumably in an illegal attempt to profit from their access to de-identified UK Biobank data. Thankfully, this sort of situation is extremely rare, not least because of the sanctions that UK Biobank applies for such breaches, and the substantial reputational damage to researchers and their institutions should they act in this way.“
Anni Feng, Co-Chair of the Digital Futures Policy Centre at the Institution of Engineering and Technology (IET), said:
“Data is incredibly valuable and powerful and therefore often a target for cyber-attacks. But, data is also fundamental to technology and innovation, the more high quality, interoperable data we have provides a more accurate picture.
“Even the data we have now, is not robust enough or readily sharable to allow for advancements in AI and medicine to reach their true potential, which can have an impact on things like reproducibility. Ethical data sharing is going to be critical to the successful development, deployment and assessment of tools. The IET recommends that the Responsible Handover of AI should be included as part of ethical guidance. We also need to ensure we have diverse data from different data sources as there will naturally be a bias in the data if people are volunteering their data or if we model technologies on data from a ‘healthy’ population or ‘unhealthy’ bias.
“Technologies such as environmental sensors, monitoring air quality, temperature, and noise, can be linked with patient health data to improve outcomes. However, fundamentally, transparency around the data used is critical to ensure that we maintain trust and build public confidence in the use of their data. Training and emphasis on data handling skills for researchers working with data should be a key focus.”
Anna Steere, Head of Understanding Patient Data, said:
“UK Biobank participants have made an exceptional contribution to health research, volunteering their data through explicit consent to support the public good. Reports like this will understandably be unsettling, particularly for people who have taken part in good faith.
“It is important to recognise that UK Biobank is a specific, consented research cohort, and not representative of how most people’s health data is routinely used across the NHS. When distinctions like this are unclear, incidents can fuel wider anxiety and undermine confidence across the whole health data system.
“We welcome the swift initial steps taken to remove the listings, suspend access and pause data sharing while safeguards are reviewed. Establishing clear facts and understanding what went wrong will be essential.
“Trust in the use of health data is not built on the idea that nothing ever goes wrong, but on what organisations do when it does -through accountability, openness and a clear commitment to strengthening protections in response. Those early actions matter in maintaining public confidence and ensuring essential research can continue responsibly.”
Prof John Gallacher, Director, Dementias Platform UK, University of Oxford, said:
“Whilst this data breach is alarming, it is also a backhanded compliment to the global value of UK Biobank. UK Biobank is one of the world’s foremost biomedical resources; its breadth and depth of data creating scientific opportunity globally. Critical to this value is maintaining the covenant of trust between researchers and participants. The rapid action of UK Biobank and the UK and Chinese Governments against bad actors to ensure the privacy of participants is testament to the importance of this trust. As a ‘Biobanker’ I am reassured that the value of my small contribution to global health is jealously guarded.”
Professor John Danesh, BHF Professor of Epidemiology and Medicine, Department of Public Health and Primary Care, University of Cambridge, said:
“UK Biobank is a jewel in the crown of UK science—a uniquely powerful resource for medical discovery and arguably the most valuable population-scale biomedical dataset in the world. It’s critical to advancing science to help patients.
“Since making de-identified participant data available to researchers in 2012, UK Biobank has enabled thousands of scientists globally—including my own team at the University of Cambridge and the Wellcome Sanger Institute—to generate insights that are improving the prevention and treatment of disease.
“It is reassuring that UK Biobank’s swift and robust response has reportedly prevented an illegal attempt to breach its access rules.
“Continued vigilance, strong governance, and transparency will help sustain the strong public trust already demonstrated in this resource.
“At moments like this, it is important to recognise the profound scientific and public health benefits that the data in UK Biobank delivers. Responsible, secure access to that data is fundamental.”
Professor Andrew Morris, Director of HDR UK, said:
“To find data for sale on a website in China will be greatly concerning for participants. Even with all identifying information removed from the data, this is still sensitive data and a serious data breach.
“I am glad to see that rapid action has been taken at the highest levels with a joined-up response between UK Biobank and the UK and Chinese governments. The fact that the datasets were rapidly taken down and interim measures have been put in place offers reassurance. It is important that there is a full review.
“Health research using large de-identified datasets is delivering great advances in the prevention, diagnosis and treatment of diseases affecting millions of people in the UK and globally. UK Biobank has been at the vanguard of many of these discoveries. But such research is only possible with the trust of participants in how their data is handled.
“Significant advances have been made in the last 5-10 years in how data is accessed by researchers to give added layers of security and privacy protection. This has included the use of secure environments that bring researchers to the data, not data to the researchers and also allow rigorous checking of all information that leaves those environments. UK Biobank has moved to a secure environment and has described how they intend to introduce output checking. This is an important step.
“The future of healthcare is increasingly data-dependent. We must double down on implementation of secure systems to enable essential research that is responsible, trusted and can operate at scale.”
Prof Luc Rocher, Associate Professor, Oxford Internet Institute, University of Oxford, said:
“This is the 198th known exposure of UK Biobank data since last summer (see https://biobank.rocher.lc/). UK Biobank data is not just available for sale, it also remains available online for anyone to download today. Researchers have, in the past, repeatedly and accidentally uploaded datasets to online code sharing platforms, and many of these files are now replicated across the web. UK Biobank has sought to downplay the importance of such exposures, stating that data are “de-identified” and free of “personally identifying information,” and that no participant has been unwillingly re-identified. Last month, The Guardian correctly identified a single participant from just two easily known facts. The actions being taken today are inadequate to take down data from the web, and cannot protect the 500,000 participants whose intimate health records have been exposed 198th time this year.”
Prof Elena Simperl, Department of Informatics, King’s College London, said:
“The recent UK Biobank data exposure is not a moment to point fingers, but to take seriously what it tells us about national data infrastructure. Initiatives like UK Biobank are absolutely essential to driving innovation across the health and life sciences ecosystem. With longitudinal data on half a million volunteers and more than 18,000 peer-reviewed papers to its name, the UK is world-leading in this space, and rightly proud of it. What happened here was an infrastructure problem, not the result of a complex cyber-attack. Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought. The UK has built something remarkable, but we need to keep investing in keeping it safe.”
https://www.bbc.co.uk/news/articles/cpvxgl3n138o
Declared interests
Ewan Birney is a long established paid consultant to Oxford Nanopore, which is one of the companies that have provided genome sequencing for UK Biobank.
Prof Cathie Sudlow: “Chief Scientist for UK Biobank from 2011-2019”
Prof John Danesh: Professorial Fellow, Jesus College, Cambridge. Faculty Member, Wellcome Sanger Institute. Director, Health Data Research UK-Cambridge.
I serve on the Access Committee of UK Biobank.
Professor Andrew Morris: “Director of Health Data Research UK, the national institute for health data science; is Professor of Medicine and Vice Principal at the University of Edinburgh; is President of the Academy of Medical Sciences, has minority (<1.5%) shareholding in Aridhia Informatics and a small number of shares in GSK (<£5,000).”
Prof Luc Rocher: “no conflicts of interest”
Prof Elena Simperl: “no conflicts”