Rogue scientists at three hospitals in China attempted to sell the stolen medical data of half a million NHS patients, raising serious concerns about Britain's security measures. The confidential NHS medical details were listed for sale on Alibaba, an ecommerce website often referred to as China's Amazon, due to what is described as the UK's 'lax' security protocols.
How the Breach Occurred
The lack of sufficient regulations allowed Chinese academics to gain unrestricted access to the entire database of UK Biobank, a research hub that provides 'de-identified' data to universities, institutes, and private companies. Three separate listings were made by individuals from three different Chinese research hospitals, who had initially accessed the data legitimately. UK Biobank, a registered charity, has refused to name the medical facilities but confirmed that they have since been denied access to the data. The charity stated that it was alerted to the listings by an anonymous whistleblower.
Government and Expert Reactions
A Whitehall source told a national newspaper that the charity had been 'very, very lax' regarding who could access the data and whether it could be kept secure. Technology Minister Ian Murray described the leak as an 'unacceptable abuse' and called for an inquiry. Shadow National Security Minister Alicia Kearns accused Labour of handing a 'gift to China', stating: 'Half a million Britons trusted the system with their most intimate health data. That trust has been shattered.' She demanded answers on which institutions had their access revoked, which had links to the Chinese state, and who signed off on overriding MI5's warnings last year.
Former MI6 chief Sir Richard Dearlove compared the decision to the aborted plan to allow Chinese firm Huawei a role in the UK's 5G network. Sir Ken McCallum, head of MI5, has repeatedly warned against Chinese interference, particularly in science and technology. Former Tory leader Sir Iain Duncan Smith called for an inquiry, saying: 'It beggars belief when China is looking to develop bioweapons.'
Data Exposed and Current Status
The stolen data did not include names, addresses, or contact details, but it contained gender, age, month and year of birth, as well as assessment centre data, attendance data, socioeconomic status, and lifestyle habits. UK Biobank has paused global access to its data to prevent further downloads and resales. Although the posts were removed before any sales occurred, experts believe Beijing may have already capitalised on the information. Professor Luc Rocher from the Oxford Internet Institute noted that this is the 198th known exposure of UK Biobank data since last summer, adding that not enough is being done to remove stolen data from the web.
Background and Previous Concerns
Last year, plans to give Chinese researchers access to GP records of 503,000 UK Biobank volunteers sparked outrage. MPs, security experts, and former spy chiefs warned that the hostile state could gain insights into 'strategic aspects of the nation's life', potentially aiding bioweapon development. In April, UK Biobank announced that NHS England had audited its international data-sharing processes, including applications from China, and passed. In February, Health Secretary Wes Streeting allowed coded GP data of all volunteers to be shared with UK Biobank, a decision that shocked security experts.
Professor Sir Rory Collins, UK Biobank chief executive, apologised to participants for the concern this will cause. The database can be accessed by researchers worldwide for an annual sign-up fee of £3,000.
