Confidential UK BioBank health records exposed online

An investigation by The Guardian has revealed that confidential health data from UK Biobank, one of the world's largest medical research projects, has inadvertently been exposed online dozens of times. The exposure stems from researchers accidentally uploading sensitive datasets to the code-sharing platform GitHub alongside their analysis code. While the files do not contain names or addresses, they include millions of hospital diagnoses, test results, and birth dates for more than 400,000 participants.

To test re-identification risks, the Guardian employed an external data scientist who successfully pinpointed a volunteer's extensive medical history using only their birth month, year, and details of a single surgery. Despite this, UK Biobank rejected privacy concerns, stating that there is no evidence that participants have been re-identified by others. The organisation argued that identification is only possible if participants themselves post personal information elsewhere, and maintains that the data is not identifying in isolation.

However, the scale of the issue has escalated recently, with UK Biobank issuing 80 legal takedown notices to GitHub between July and December 2025. While the organisation previously allowed scientists to download data to private systems, it has since introduced additional training and is proactively searching for leaked repositories. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.