UK Biobank health data listed for sale in China, government confirms

The UK government has confirmed that health data from 500,000 participants in the UK Biobank project was found for sale on an online platform in China. Technology minister Ian Murray revealed the discovery during a parliamentary session, noting the information appeared on Alibaba’s website.

According to Murray, the data breach was reported by the charity managing the UK Biobank on Monday. He emphasized that the exposed details did not include personal identifiers like names, addresses, or contact information. The ministry has since reached out to Alibaba for further clarification.

The UK Biobank, which collects health data from volunteers, has been utilized to advance research on conditions such as dementia, Parkinson’s, and certain cancers. In a statement, the organization confirmed its investigation into the incident and expressed gratitude to both UK and Chinese authorities for their collaboration.

“We understand that the existence of these listings, even temporarily, will be concerning to you,” said Sir Rory Collins, the charity’s chief executive. “We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers).”

Murray clarified that no data had been purchased from the three listings on Alibaba. He added that the listings were promptly removed, with the government expressing appreciation for the Chinese authorities’ assistance. The data had been shared with three research institutions, he noted, and Alibaba’s swift action helped mitigate the issue.

Reacting to the situation, Liberal Democrat technology spokeswoman Victoria Collins called it a “profound betrayal” and urged accountability from UK Biobank. Meanwhile, Reform UK’s deputy leader accused the breach of being a “China data theft scandal,” questioning whether the £200 million investment would be misused.

“Can the minister confirm that our generosity actually will not be abused by those Chinese researchers and that UK Biobank should preclude and exclude them for the future, in order to ensure that this state of theft comes with sanctions?” asked Richard Tice.

Murray countered that the breach was not due to a leak or cyber-attack but a “legitimate download” by an accredited entity. He defended the ongoing collaboration with Chinese researchers, stating that thousands have been working safely with UK Biobank data since 2012.

Following the incident, the UK Biobank announced measures to strengthen data security. These included temporarily restricting access to its research platform, limiting file sizes for removal, and monitoring exports daily for suspicious activity. A full investigation by the organization’s board is also underway.

Outside the UK? Sign up for our Tech Decoded newsletter to follow the world’s top tech stories and trends. Sign up here.