UK Biobank data listed for sale in China in apparent breach
‘Rogue’ researchers have been blamed
The government has confirmed that health data from participants in the UK Biobank was briefly listed for sale online in China.
UK Biobank alerted the government to the issue on Monday, and technology minister Ian Murray has now told MPs that information relating to all 500,000 volunteers in the database appeared on the e-commerce platform Alibaba.
The data did not include direct identifiers such as names, addresses or contact details. However, it may have contained demographic and health-related information, including gender, age, birth month and year, lifestyle factors and biological measurements.
The UK Biobank is a long-running scientific programme that has collected extensive medical and genetic data from volunteers over more than two decades. Participants, aged between 40 and 69 at recruitment between 2006 and 2010, have contributed information ranging from DNA sequences to full-body scans and health records.
The dataset has supported research into conditions such as dementia, cancer and Parkinson's, contributing to more than 18,000 scientific publications.
In a message to participants, chief executive Rory Collins said the organisation understood concerns about the listings but stressed that all data had been anonymised.
"We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth and NHS numbers)," he said.
Collins added that the data involved had been shared with researchers at three institutions and its appearance online represented "a clear breach of contract.”
Access for those institutions and individuals has since been suspended. The listings were removed swiftly with the cooperation of UK and Chinese authorities and Alibaba, he said.
The government has been told that no purchases were made.
'Rogue researchers' blamed
UK Biobank's chief scientist Naomi Allen told the BBC the incident was ultimately the responsibility of "rogue researchers."
They "are giving the global scientific community a bad name," she said, adding that the organisation was "extremely cross" about the breach and apologised to participants.
Additional safeguards have been introduced, including temporary suspension of platform access, stricter limits on file exports and enhanced monitoring for suspicious activity.
Criticism and scrutiny
Although UK Biobank has blamed researchers, experts have criticised its own data handling.
Prof Felix Ritchie, an economist at the University of the West of England, described the situation as "supremely careless."
"They have been irresponsible and it's really sad because UK Biobank is a fantastic resource," he said.
"Once it's out there, you can't get rid of it," he added, warning that further data could already be circulating beyond public platforms.
The Information Commissioner's Office confirmed it is making enquiries after being notified of the incident.
"People's medical data is highly sensitive information… organisations also have a responsibility under the law," a spokesperson said.
Dray Agha, senior manager of security operations at Huntress, warned that medical datasets are increasingly valuable targets in the global cybercrime economy.
"When datasets of this scale are advertised on mainstream e-commerce platforms, it signals a bold escalation in how threat actors monetise stolen sensitive information," he said.
"Organisations like UK Biobank are built on trust and open collaboration, but this breach proves that 'security by obscurity' is dead."
Jake Moore, Global Cybersecurity Advisor at ESET, noted even anonymised data can potentially be re-identified using advanced technologies.
"Genetic data is effectively a fingerprint," he said.
"Unfortunately, once data is out, even briefly listed, you've lost control forever whether it sold or not, so this could be damaging over time too."
Moore cautioned that participants should remain alert to possible follow-up scams, such as fake NHS calls or insurance offers.