Health data belonging to half a million volunteers who contributed to the UK Biobank – one of the world’s most comprehensive biomedical research resources – has been offered for sale on a Chinese e-commerce platform, the government has confirmed. Science minister Ian Murray described the incident as an “unacceptable abuse” of data and told MPs that the charity had informed ministers on Monday that three listings had been identified on Alibaba’s websites. At least one of those listings appeared to contain data from all 500,000 participants, while additional entries offered support for researchers seeking legitimate access to the Biobank or analytical services.
Data breach details and implications for participants
The datasets did not include names, addresses or contact details, Mr Murray said, but they did contain a wide range of sensitive health and personal information. The compromised material could include gender, age, month and year of birth, socioeconomic status and lifestyle habits, as well as measures from biological samples such as haematology, biochemistry, metabolomic and proteomic data. Records on health outcomes – including cancer diagnoses, dates of diagnosis, mental health conditions, self-reported medical history, cognitive function and physical measurements – were also reportedly included in the listings.
Although the data was described as “de-identified”, experts have warned that the combination of details available could pose a genuine risk of re-identification. Will Richmond-Coggan, a partner specialising in data breach litigation, noted that “de-identified” data can still qualify as personal data under UK law, and that the mixture of home location, personal circumstances and medical symptoms created a “real risk of re-identification”. Professor Luc Rocher of the Oxford Internet Institute said this was the 198th known exposure of UK Biobank data since the previous summer, and that some of the data “remains available online for anyone to download today”. Mr Murray conceded that he could not give a complete guarantee that nobody could be identified, though he said doing so would probably require a “very advanced way”.
UK Biobank immediately revoked access for the three research institutions identified as the source of the leak, and the charity has referred itself to the Information Commissioner’s Office. The government worked with the Chinese authorities and Alibaba to ensure the listings were taken down, and Mr Murray told the Commons that officials had spoken to the vendor and did not believe any purchases had been made before removal. He thanked the Chinese government for its co-operation in the takedown. Additionally, UK Biobank has temporarily paused all further data access until a technical solution is implemented to prevent data from being downloaded in the same way again. Interim measures include a strict limit on the size of files that can be exported from the research platform, with daily monitoring of all exported files. An automated checking system is being developed and is expected to be in place by the end of the year.
Political reaction and calls for stronger protections
The breach has drawn sharp criticism from MPs, particularly from Dame Chi Onwurah, the Labour chair of the Science, Innovation and Technology Committee. She said the incident was “another blow to public confidence” and demonstrated “just how little progress had been made” in protecting public data. Dame Chi, who chairs the committee, recalled that Mr Murray had given her assurances in February that standards of public sector information security and data hygiene would improve. “This raises serious questions about whether lessons have been learned from repeated data breaches and leaks, and whether robust data management practices are being enforced at publicly funded bodies,” she said. She added that public trust in the handling of sensitive data was essential to the government’s digital transformation ambitions.
Mr Murray, the minister for digital government and data, told the House that the government had taken immediate steps to protect participants’ data: working with the Biobank, the Chinese government and Alibaba to remove the listings; revoking access for the three institutions and the individuals involved; and pausing access to the Biobank’s research platform. He confirmed that the pause was now in place and that UK Biobank had been asked to implement a technical solution before data access could resume.
Scientific importance and infrastructure concerns
UK Biobank is a major biomedical research resource that collects genetic, lifestyle and health data from 500,000 volunteers who were aged between 40 and 69 when they joined between 2006 and 2010. The cohort is predominantly of white ethnicity (94.6 per cent), reflecting the UK population at the time of recruitment, and exhibits a slight “healthy volunteer bias” – participants tend to be wealthier and healthier than the general population. The de-identified data is made available to researchers worldwide through the UK Biobank Research Analysis Platform (UKB-RAP), with more than 22,000 scientists from over 60 countries using it. Since 2012, the resource has contributed to over 18,000 peer-reviewed papers and has been used to achieve improvements in the detection and treatment of dementia, cancers and Parkinson’s disease.
Professor Elena Simperl of the Department of Informatics at King’s College London said the incident should not be a moment to “point fingers” but rather to take seriously what it reveals about national data infrastructure. “What happened here was an infrastructure problem, not the result of a complex cyber attack. Too often, the costs of maintaining infrastructure for flagship data stewardship projects like this are treated as an afterthought,” she said. “The UK has built something remarkable, but we need to keep investing in keeping it safe.” Her comments echoed concerns raised by other experts about the need for sustained investment and robust data handling skills, especially given that a previous incident in March 2026 saw de-identified Biobank data unintentionally added to online code repositories by researchers.
Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank, issued a statement apologising to participants for the concern caused and seeking to reassure them that their personally identifying information remained “safe and secure”. He confirmed that the listings had been removed before any purchases occurred, and outlined additional security measures, including regular independent security testing and compliance with ISO/IEC 27001 standards. A comprehensive, board-led investigation into the incident is under way. “Since UK Biobank started to make your de-identified data available for research in 2012, it has led to thousands of discoveries that are already leading to improvements in the prevention and treatment of many different diseases,” he said.
