UK Biobank Data Leak

Hackers stole de-identified medical research records from UK Biobank and offered them for sale on Alibaba, exposing data linked to about 500,000 volunteers. (bbc.co.uk) UK technology minister Ian Murray told Parliament on April 23, 2026 that three Alibaba listings advertised the data, and at least one appeared to cover all 500,000 participants. The government said it learned of the listings on Monday, April 20. (politico.eu) UK Biobank said the listings were removed before any purchases were made and that the exposed files did not include personally identifying information such as names, addresses, email addresses, mobile numbers, or National Health Service numbers. (ukbiobank.ac.uk, ukbiobank.ac.uk) UK Biobank is one of Britain’s biggest medical research databases, built from genetic, biological, imaging, and health records donated by 500,000 people for approved studies. The charity says researchers have used its data since 2012 and that the project has supported thousands of discoveries. (ukbiobank.ac.uk, ukbiobank.ac.uk) The case turned on de-identified data, which means direct identifiers are stripped out before researchers get access. UK Biobank’s protocol says the identifiable file is stored separately and encrypted, while research records include detailed traits such as height, weight, blood pressure, diagnoses, and genetic data. (ukbiobank.ac.uk) That distinction has been under pressure for weeks. On March 14, 2026, UK Biobank acknowledged reports that researchers had unintentionally posted de-identified participant data in online code repositories, after a Guardian investigation described dozens of exposures. (ukbiobank.ac.uk, digitalhealth.net) After the Alibaba listings surfaced, UK Biobank suspended access to its research platform, blocked large exports, and said it would monitor all exported files daily for suspicious activity. It also suspended the three academic institutions and individuals linked to the listed datasets. (ukbiobank.ac.uk) Murray told MPs that UK Biobank had referred itself to the Information Commissioner’s Office, Britain’s data regulator. He also said the UK government worked with the Chinese government and Alibaba to get the listings removed. (politico.eu, yahoo.com) UK Biobank told participants it had “no evidence” anyone had been identified unwillingly, but it also said it did not want its data used by anyone who had not been approved for access. For a project built on volunteer consent, that is now the test in front of investigators and the charity itself. (ukbiobank.ac.uk)