> It has given 20,000 researchers around the world access under strict agreements that prohibit sharing data further.

To me it seems rather naive to have done that.

After all, you can't un-leak medical data. So even if the "strict agreement" included huge punishments, there's no getting the toothpaste back in the tube.

If you want to ensure compliance before a leak happens you have to (ugh) audit their compliance. And that isn't something that scales to 20,000 researchers.

Too late to do anything about it now though :(