A major data security incident has hit UK Biobank, one of the world’s largest long-term public health research initiatives, after listings advertising access to records of 500,000 project participants were found for sale on Alibaba, the Chinese e-commerce giant, UK government officials have confirmed.
UK Technology Secretary Ian Murray confirmed details of the breach in a statement to Members of Parliament this week, noting that the charity that manages UK Biobank first notified the UK government of the unauthorized listings on Monday. In an effort to address widespread public concern, Murray emphasized that none of the data included in the advertised listings contained direct personal identifiable information, including full names, residential addresses, contact information, or telephone numbers.
Founded in 2006, UK Biobank holds anonymized genetic, lifestyle and health records from 500,000 volunteer participants across the United Kingdom. The dataset has become a foundational resource for global medical research, enabling groundbreaking advances in the detection and treatment of conditions ranging from dementia and multiple types of cancer to Parkinson’s disease, improving health outcomes for millions worldwide.
In a public statement released after the incident, UK Biobank Chief Executive Professor Sir Rory Collins acknowledged that the unauthorized listings, even temporary ones, would alarm project participants. “We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers),” Collins said. The institution added that it is conducting a full internal investigation into the incident, and extended gratitude to the UK and Chinese governments, as well as Alibaba, for their rapid cooperation in addressing the issue.
Murray confirmed that as of the latest update, no successful purchases of the data were recorded from the three unauthorized listings posted to the platform. The listings have already been removed from Alibaba’s site following coordinated action between all involved parties, he added.
The UK’s Information Commissioner’s Office (ICO), the national data protection regulator, has also launched its own enquiry into the incident. An ICO spokesperson noted that personal health information is categorized as extremely sensitive data, noting that the public rightfully expects strict secure handling of such records, and all organizations processing health data hold a legal responsibility to protect it. “UK Biobank has made us aware of an incident and we are making enquiries,” the spokesperson added.
Alibaba has not yet released an official statement or comment on the incident as of press time.