Private data belonging to 500k volunteers in the UK Biobank was subject to sale on Alibaba, a Chinese retail digital platform
Hailed as one of the world's largest retailers and e-commerce enterprises, Alibaba is the platform where medical information of half a million participants of the UK’s health data project was listed.
The biobank is a non-profit organisation led by Professor Sir Rory Collins, Chief Executive and Principal Investigator of UK Biobank. Collins assured participants that “all data are de-identified; they do not contain any personally identifiable information (such as names, addresses, dates of birth, and NHS numbers).”
The news was confirmed by Ian Murray, UK technology minister. According to Murray, the charity that runs UK Biobank informed the government of the data breach earlier on Monday, April 20, 2026. In his statement to MPs, the technology minister stressed that the leak did not unveil participants’ names, addresses, contact details or telephone numbers.
In lieu of the data breach news, Dame Chi Onwurah, Science, Innovation and Technology Committee Chair, expressed concern, stating that the highly sensitive data held by the biobank has not been subject to proper controls.
“My committee has carried out extensive scrutiny of public sector information security and data hygiene, and in February Ian Murray and government officials assured us that standards would improve, and public data would be better protected.”
Onwurah further noted that little progress has been made, raising serious questions about “whether lessons have been learned from repeated data breaches and leaks, and whether robust data management practices are being enforced at publicly funded bodies.”
“Public trust in the handling of sensitive data is key to the government’s digital transformation ambitions,” added the Science, Innovation and Technology Committee Chair. “This is another to public confidence.”
The UK Biobank comprises health data of volunteers to help make improvements in the detection of dementia, as well as certain cancers and Parkinson’s.
Also Read: Vercel Security Breach from Employee’s AI tool: What Businesses Must Learn
UK Biobank Assures Data Safety
Collins issued an official apology statement to volunteers affected by the data breach. The statement noted that the participants' “personally identifying information in UK Biobank is safe and secure.”
“Listings offering access to UK Biobank data (which did not contain any personally identifying information) were found on a Chinese consumer website,” the statement emphasised. “These listings were swiftly removed before any purchases were made.”
The Biobank is conducting a comprehensive investigation of the data breach incident. The organisation discovered that “de-identified participant data made available to researchers at three academic institutions” was listed on a Chinese consumer website owned by Alibaba.
Post identification, the biobank sought support from the Chinese government and Alibaba to act on the breach swiftly and obliterate those listings from the website before any sales were made.
“This is a clear breach of the contract signed by these academic institutions, and they, along with the individuals involved, have had their access suspended,” Collins stated.
As a part of the contract, researchers accessing the biobank’s data are permitted to conduct research with restrictions in place on the system's cloud-based research platform hosted in the UK.
However, owing to the data breach incident, further actions will be taken to ensure that UK Biobank’s systems are not subject to repetition.
As of now, all access has been temporarily suspended to the UK Biobank research platform. Collin said that a strict limit on the size of files that can be taken off the platform has been set. “This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform.”
Also, the exported files will be subject to surveillance daily on the lookout for suspicious activity.
“These security measures will further minimise the potential for misuse of UK Biobank data,” added Collions. “We will conduct a comprehensive and forensic Board-led investigation of this incident.”
Comments ( 0 )