500,000 UK Biobank Records Found on Alibaba

UK Biobank confirmed that data linked to about 500,000 volunteers was listed for sale on the Chinese e-commerce site Alibaba. Investigators traced the listings to three research institutions. UK Biobank revoked their access and paused new data requests while it reviews security controls.

The dataset included genetic sequences, blood samples, medical imaging and detailed health and lifestyle records. UK Biobank said the data was de-identified and did not include names, addresses or NHS numbers, but it contained detailed demographics such as gender, age, birth month, socioeconomic indicators, lifestyle information and clinical measures. At least one listing referenced records for all 500,000 volunteers.

Alibaba removed the listings after UK Biobank reported the matter and Chinese authorities intervened. UK Biobank said researchers had downloaded the dataset under legitimate contracts and that it is reviewing contractual and technical protections for sensitive files.

UK Biobank holds more than 15 million biological samples and linked health records from volunteers recruited between 2006 and 2010. The charity typically grants access after vetting universities and private companies and signing contracts that set terms for use and export of data. The organisation did not identify the institutions involved or give a timetable for resuming new access.

National Data Guardian Dr Nicola Byrne commented, “People who generously share their health data to benefit others through medical research rightly expect it to be kept safe and for there to be accountability when things go wrong.”

Privacy specialists warned that de-identification does not eliminate the risk of re-identification when datasets are combined with other public or commercial records. They urged stronger technical protections such as secure analysis environments and limits on bulk downloads and exports to prevent wide copying of sensitive files.

U.S. intelligence and policy agencies have warned that bulk medical and genomic datasets are treated by some states as strategic assets for developing biotechnology, artificial intelligence and precision medicine. Security experts note that genetic data cannot be changed if it is exposed, which creates long-term privacy concerns.

UK Biobank said it will tighten security controls and review its access model. The incident prompted renewed calls for clearer rules on cross-border research access and stronger governance of population-scale genomic and health datasets.