Ask Onix
UK government confirms UK Biobank data breach
The personal health records of half a million UK Biobank participants were listed for sale on a Chinese e-commerce platform, the UK government revealed on Thursday. Technology minister Ian Murray informed Parliament that the database, which supports medical research, had been advertised on Alibaba's website.
What information was exposed?
The data did not include names, addresses, contact details, or NHS numbers. However, it contained gender, age, month and year of birth, socioeconomic status, lifestyle habits, and biological sample measurements. Participants, aged 40 to 69, had volunteered their information between 2006 and 2010 for research into diseases such as dementia, cancer, and Parkinson's.
Response from UK Biobank and authorities
UK Biobank, the charity managing the database, confirmed the incident to the government on Monday. Chief Executive Professor Sir Rory Collins assured participants that the data was de-identified, meaning it lacked personally identifiable information. He noted that Alibaba had swiftly removed the listings following intervention from UK and Chinese authorities.
"We understand that the existence of these listings, even temporarily, will be concerning to you. We want to reassure you that all the data are de-identified."
Professor Sir Rory Collins, UK Biobank Chief Executive
Minister Murray stated that no purchases were made from the three listings on Alibaba's platform. The Information Commissioner's Office (ICO) acknowledged the breach and said it was making inquiries.
Reactions from participants and experts
Guardian columnist and Biobank volunteer Polly Toynbee expressed confidence in the project's value, stating that the anonymised nature of the data mitigated concerns. "Biobank volunteers passionately believe that what they're doing is incredibly valuable," she told the BBC. "I don't think many people will be very worried because that information is anonymised."
However, cybersecurity experts warned of potential risks. Graeme Stewart of Check Point Software cautioned that the breach could erode public trust in data-sharing initiatives. "It only takes a relatively small drop in participation to start affecting the quality and reliability of research at scale," he said.
Will Richmond-Coggan of Freeths highlighted that even de-identified data could be re-identified due to its detailed nature, classifying it as personal data under certain legal frameworks.
Investigation and next steps
Sir Rory Collins revealed that the data had been made available to researchers at three institutions, constituting a "clear breach of the contract" signed by those academic bodies. Access for the institutions and individuals involved has been suspended pending a forensic investigation.
UK Biobank has implemented temporary measures, including suspending access to its research platform, imposing strict limits on file sizes for downloads, and monitoring file exports daily for suspicious activity.
Professor Elena Simperl of King's College London emphasised the importance of robust data infrastructure, stating that such projects are "absolutely essential" for health innovation. She called for greater investment in maintaining these systems to prevent future breaches.
Political fallout and criticism
Liberal Democrat technology spokeswoman Victoria Collins condemned the incident as a "profound betrayal" and urged the government to hold UK Biobank accountable. Meanwhile, Reform UK's deputy leader Richard Tice labelled it a "China data theft scandal," questioning whether UK taxpayer funds-approximately £200 million-had been misused.
Minister Murray dismissed Tice's remarks as inappropriate, noting that thousands of Chinese researchers have collaborated safely with UK Biobank since 2012. He clarified that the breach did not result from a cyber-attack or leak but from a legitimate download by an accredited organisation.
