UK Biobank data found for sale on Chinese website Alibaba

The UK government has confirmed that the confidential health records of 500,000 UK Biobank volunteers were offered for sale on the Chinese e-commerce platform Alibaba. The data appeared in three separate listings, at least one of which claimed to contain data from all participants. While the records were de-identified, they were available for download until the listings were removed following intervention by the UK and Chinese governments.

Technology Minister Ian Murray stated that no sales are believed to have occurred. The incident was not a technical leak but a breach of contract by three legitimately accredited research institutions that had downloaded the information. As a consequence, UK Biobank has revoked access for these institutions along with their researchers, and referred itself to the Information Commissioner's Office (ICO). In addition, it has suspended its research platform for an estimated three weeks in order to implement an automated airlock system designed to prevent data from being removed from the platform in the future.

The breach follows previous reports of data exposure and has intensified concerns about UK Biobank's security protocols. Until late 2024, accredited researchers were allowed to download data directly to their own systems. 

Training Announcement: The IAPP Certified Information Privacy Technologist (CIPT) is a privacy-focused professional IT certificate from the IAPP that addresses data protection requirements and controls within complex technological environments. It explores the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, and the role of privacy-enhancing technologies within the organisation. Find out more.