UK Biobank data breach exposes health records of 500,000 volunteers online

Health data from approximately 500,000 participants in the United Kingdom’s UK Biobank research program was discovered listed for sale on a Chinese website, prompting a government response and an ongoing investigation into the breach.

Technology minister Ian Murray confirmed that the dataset appeared on the e-commerce platform Alibaba and that the UK government was alerted earlier this week. The exposed information did not include direct identifiers such as names, addresses or contact details, but it contained sensitive attributes including age, gender, month and year of birth, socioeconomic background, lifestyle habits and biological measurements derived from medical samples.

UK Biobank, a major biomedical database and research resource that collects and provides anonymized health data to scientists worldwide, has compiled extensive records over more than two decades. The dataset includes DNA sequences, full-body scans and detailed medical histories from volunteers who were recruited between 2006 and 2010. The resource has supported more than 18,000 scientific studies, contributing to advancements in the detection and treatment of conditions such as dementia, cancer and Parkinson’s disease.

The organization stated that the compromised data had been accessed by researchers affiliated with three academic institutions and that the listing represented a breach of contractual terms governing data use. Access for those institutions and individuals has been suspended. The listings were removed shortly after discovery with cooperation from authorities and the platform operator, and officials confirmed that no purchases of the data were recorded.

UK Biobank temporarily restricted access to its database following the incident and introduced additional safeguards, including limits on file exports and enhanced monitoring for suspicious activity. The organization is also developing an automated system designed to prevent unauthorized removal of data from its secure research environment.

The Information Commissioner’s Office has been notified and is making inquiries into the breach. Government officials described the incident as a serious misuse of sensitive data and emphasized the importance of maintaining public trust in large-scale health research initiatives.