Statement from UK Biobank
On 16th June 2020, UK Biobank became aware that information submitted via reply forms on our website had become externally accessible. This occurred when the password protection on a file, containing reply forms from about 6,000 individuals who visited the website and provided feedback, was mistakenly removed in January 2019 by the external company that managed the UK Biobank website.
The forms were administrative in nature (such as requests to attend events and/or feedback about UK Biobank and its activities), and included limited personal information (e.g. name, date of birth and/or contact details). Roughly 400 forms contained some self-reported health information (for example, that the person had diabetes or rheumatoid arthritis).
As soon as we were made aware of the existence of this unprotected file on the website, we had it removed and notified the Information Commissioner’s Office (ICO). We also appointed external IT security experts (IBM and NCC Group) to confirm that there was no other unprotected personal information on the website and to test all our IT systems and databases as a precautionary measure. We have provided a detailed report to the ICO, which is available to read in full here. We have also written individually to each of the people affected to inform them of what has happened and to apologise.
The website is entirely separate from all of UK Biobank’s other data (including databases containing detailed information about the 500,000 study participants), which are held internally behind secure firewalls. UK Biobank’s databases are subjected to regular penetration testing by external IT security experts. The most recent previous test in June 2019, as well as the tests that we have conducted now, confirm that all of UK Biobank’s databases are secure.
Although this error was made by an external website company (which is no longer engaged by us), UK Biobank takes full responsibility for its occurrence. We are acutely aware that the continued success of UK Biobank – which amongst other things is providing vital research into COVID-19 – relies on the trust put in us by our participants, our partners and the public. We hope therefore that the steps we have taken demonstrate that we take such matters extremely seriously and that we acted appropriately as soon as we discovered this problem on the website.
If you have any questions about this matter, please contact UK Biobank by email (firstname.lastname@example.org) or by telephone to our Participant Resource Centre (tel: 0800 0276 276; 9am to 5pm, Monday to Friday).