The head of UK Biobank, Professor Sir Rory Collins, has attributed the recent data breach affecting half a million participants to a small group of rogue researchers. Speaking to the BBC, he said he was "angry" and "upset" about the incident, in which de-identified medical data was listed for sale on a Chinese e-commerce site.
The data, which had been made available to researchers at three academic institutions, was posted on Alibaba last week. The UK government confirmed the listings were removed before any sale occurred, but the charity now faces scrutiny over how the breach happened.
Sir Rory stated that the institutions involved have been banned from the Biobank platform. He added that the organization has temporarily suspended access to its online research platform while implementing additional controls to prevent future incidents.
"In this case, a few bad apples have taken those data off the platform and they have listed the data for sale," Sir Rory told BBC Radio 4's Today programme. "By working swiftly with the UK government and the Chinese government... we have been able to get those listings removed before any data were sold."
UK Biobank is a vast collection of health data from volunteers, used to advance research into diseases like dementia, cancer, and Parkinson's. The compromised data did not include names, addresses, or contact numbers, but did contain gender, age, month and year of birth, socioeconomic status, lifestyle habits, and biological sample measurements.
While Sir Rory acknowledged it is "impossible" to entirely rule out the risk of re-identification, he said there is no evidence it has occurred. The organization has referred itself to the Information Commissioner's Office (ICO), which is investigating.
Jon Baines, a data protection specialist at Mishcon de Reya, noted that the regulator will likely examine whether the data qualifies as truly de-identified and thus not personal data under UK law. UK Biobank also plans a board-led investigation into the incident.
Sir Rory stressed the need to balance data accessibility for scientific discovery with security, stating, "We can always do more" to prevent misuse, but the organization must continue to enable vital research.