Private health records of half a million Britons offered for sale on Chinese website

. UK edition

Automated storage system at UK Biobank's genome sequencing facility
UK Biobank, which holds data from half a million people. Photograph: Dave Guttridge/UK Biobank/PA

Technology minister tells Commons ‘de-identified’ information from UK Biobank advertised for sale on Alibaba

The confidential health records of half a million British volunteers have been offered for sale on Chinese website Alibaba, the UK government has confirmed.

The “de-identified” data, belonging to participants in the UK Biobank project, was found for sale on three separate listings last week. Ian Murray, the technology minister, told the Commons on Thursday that, after working with the Chinese government and Alibaba, the records had now been removed. It is not believed any sales were made.

The latest breach comes after the Guardian revealed last month that sensitive UK Biobank data has been exposed online dozens of times, raising further questions about whether security has been too lax.

“On Monday 20 April, the UK Biobank charity informed the government that it had identified their data had been advertised for sale by several sellers on Alibaba’s e-commerce platforms in China,” Murray said.

“Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.”

Murray added: “I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove those listings and the ongoing work to remove any further listings.”

UK Biobank has referred itself to the Information Commissioner’s Office.

Chi Onwurah, chair of the Commons science, innovation and technology committee, said the “incredibly serious” breach came as “yet another blow to public trust at a time when we need the benefits of digitalisation to be embraced by all”. “It’s really coming to something if we’re having to rely on the Chinese government to keep our data secure,” she said.

The UK Biobank holds the health data of 500,000 volunteers, including genome sequences, brain scans, blood samples and diagnostic records. Scientists at universities and private companies across the world apply for access, and the project has been described as the “jewel in the crown of UK science”. In February, the health secretary, Wes Streeting, issued a legal direction that allowed the coded GP data of all volunteers to be shared with UK Biobank for the first time.

The data being advertised on Alibaba was “de-identified”, meaning it does not include names, addresses or precise dates of birth. But such data can still pose privacy risks. Last month, the Guardian was able to apparently re-identify a single participant in another UK Biobank dataset that had been leaked online, which provided access to extensive hospital diagnosis records for that individual.

Murray said the government had ensured Biobank had revoked access to the three research institutions identified as the source of the data. Biobank has also temporarily suspended all access to its data.

Since 2024, scientists have been required to analyse data in Biobank’s cloud-based research platform – a system put in place to improve data security. It is understood that, while researchers are required to sign an agreement not to download raw participant data, there has been no technical block on this. One data privacy expert described this setup as “an extraordinary failure”.

Prof Felix Ritchie, an economist at the University of the West of England, said UK Biobank had been “supremely careless” with volunteers’ data. “They have been irresponsible and it’s really sad because UK Biobank is a fantastic resource.”

“I don’t think they’ve got a grip of it,” Ritchie added. “The amazing thing today is that it is for sale on the public internet. I expect that there’s lots more information on the dark web. And once it’s out there, you can’t get rid of it.”

Prof Rory Collins, chief executive and principal investigator of UK Biobank, said: “We take the protection of participants’ data extremely seriously and do not tolerate any form of data misuse. With support from the UK government, Chinese authorities and Alibaba, three listings for de-identified data were swiftly removed before a sale was made. The actions of these individuals are a clear breach of the contract they signed with UK Biobank and they, along with their academic institutions, immediately had their access suspended.

“We apologise for the concern this will cause and have already put in place technology, processes and a board-led review to stop this happening again. We have also taken our research platform offline while we add a further upgrade that helps prevent de-identified data being taken out of the platform. We expect this to take three weeks. Our existing plans to implement an automated ‘airlock’ that checks files and data continues at pace.”