Confidential medical details of 500,000 NHS patients have been offered for sale on the Chinese e-commerce platform, Alibaba. This incident raises serious concerns about data security and the potential for misuse.

Significant Data Breach Confirmed

A substantial breach of sensitive medical data belonging to approximately 500,000 patients within the UK’s National Health Service (NHS) has been discovered. The data originated from the UK Biobank, a research hub that provides ‘de-identified’ data to various institutions.

Data Details and Concerns

The compromised information includes details such as gender, age, birth year and month, socioeconomic status, lifestyle habits, and data from assessment centre visits and attendance records. While lacking direct identifiers like names and addresses, experts warn that this combination of information could potentially lead to the re-identification of individuals.

Previous Warnings and Access Revocation

This breach follows previous warnings regarding the potential misuse of this data by Beijing, specifically for the development of bioweapons. The initial access to the data was legitimately granted to three Chinese research institutions, but their access has now been revoked.

Systemic Vulnerability Highlighted

Technology minister Ian Murray acknowledged a large-scale data breach during parliamentary questioning. He also revealed this is the 198th known exposure of UK Biobank data since last summer, indicating a systemic vulnerability. The data was offered for sale multiple times over the past week before listings were removed.

Criticism and Calls for Inquiry

Critics argue that the initial decision to allow access to Chinese researchers was reckless, given geopolitical tensions and China’s ambitions in the biotechnology sector. Shadow national security minister Alicia Kearns accused the Labour government of providing a ‘gift to China’ that could endanger lives.

Past Controversies and Audits

The controversy stems from last year’s decision to allow Chinese researchers access to GP records of 503,000 UK Biobank volunteers. The UK Biobank underwent an audit by NHS England last April and passed, leading to renewed access requests. In February, Health Secretary Wes Streeting authorized the sharing of coded GP data from all volunteers with the UK Biobank.

Ongoing Data Availability and Apology

Experts, like Professor Luc Rocher from the Oxford Internet Institute, emphasize the difficulty of removing stolen data from the internet, noting that UK Biobank data remains readily available for download. Professor Sir Rory Collins, UK Biobank chief executive, issued an apology to participants for the distress caused by the breach.