UK Biobank data found for sale on Chinese website Alibaba

The UK government has confirmed that the confidential health records of 500,000 UK Biobank volunteers were offered for sale on the Chinese e-commerce platform Alibaba. The data appeared in three separate listings, at least one of which claimed to contain data from all participants. While the records were de-identified, they were available for download until the listings were removed following intervention by the UK and Chinese governments.

Technology Minister Ian Murray stated that no sales are believed to have occurred. The incident was not a technical leak but a breach of contract by three legitimately accredited research institutions that had downloaded the information. As a consequence, UK Biobank has revoked access for these institutions and their researchers, referred itself to the Information Commissioner's Office (ICO) and sent a letter to all those affected. In addition, it has suspended its research platform for an estimated three weeks in order to implement an automated airlock system designed to prevent data from being removed from the platform in the future.

The breach follows previous reports of data exposure and has intensified concerns about UK Biobank's security protocols. Until late 2024, accredited researchers were allowed to download data directly to their own systems. 

In an update, BBC News rep[orts thaat Murray has informed MPs that the data did not include names, addresses, or telephone numbers. However, the datasets contain gender, age, month and year of birth, lifestyle habits, socioeconomic status, and biological sample measures.

Sir Rory Collins, chief executive of UK Biobank, acknowledged that it is impossible to completely rule out the identification of individuals by combining this information with other sources, though he stated there is no evidence this has occurred.

Commenting on the article, data protection specialist Jon Baines said that the ICO would likely seek to confirm that the data was truly de-identified and, as such, does not constitute personal data under UK law.

Training Announcement: The IAPP Certified Information Privacy Technologist (CIPT) is a privacy-focused professional IT certificate from the IAPP that addresses data protection requirements and controls within complex technological environments. It explores the data lifecycle, privacy risk models and frameworks, the principles of Privacy by Design, and the role of privacy-enhancing technologies within the organisation. Find out more.