UK Biobank holds medical records of 500,000 British volunteers and is one of the world's most comprehensive stores of health information, according to multiple reports. The charity, founded in 2003 by the Department of Health and medical research charities, has been cited in more than 18,000 peer-reviewed scientific papers. In late 2024, the government extended Biobank's access to volunteers' GP records.
A Guardian investigation found that scientists approved to access Biobank's data have sometimes been careless about its security. Until late 2024, researchers were free to download data directly onto their own computer systems. Data had been inadvertently published online because researchers accidentally uploaded Biobank datasets to GitHub when intending to upload code. One dataset found by the Guardian contained millions of hospital diagnoses and associated dates for more than 400,000 participants. With consent of a Biobank volunteer, the Guardian was able to pinpoint extensive hospital diagnosis records for that volunteer using only month and year of birth and details of a major surgery. Between July and December 2025, UK Biobank issued 80 legal notices to GitHub to remove data. However, much of the leaked data still remains available online.
Separately, the details of 500,000 UK Biobank members were offered for sale online in China on Alibaba. Technology minister Ian Murray confirmed the data was listed for sale on Alibaba. The data had been legitimately downloaded by three research institutions in China. At least one of the three data sets appeared to contain data from all 500,000 UK Biobank volunteers. The data involved could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples. The three Chinese institutions have had their access revoked. No purchases were made from the three listings on Alibaba. The listings have been taken down with cooperation from the Chinese government.
The UK Biobank charity informed the Government that it had identified their data had been advertised for sale by several sellers on Alibaba e-commerce platforms in China. Biobank told us that in three listings that appeared to sell... Biobank participation data had been identified. At least one of these three data sets appear to contain data from all 500,000 UK Biobank volunteers.
UK Biobank rejected the concerns, saying no identifying data such as names and addresses were provided to researchers. UK Biobank CEO Sir Rory Collins said they have never seen evidence of any participant being re-identified. UK Biobank prohibits researchers from sharing data outside their systems and has introduced further training. Sir Rory said the charity temporarily closed access to the research platform. He apologized to participants and said additional security measures will be put in place.
Technology minister Ian Murray called the breach an 'unacceptable abuse' of data. He said he could not give a complete guarantee that nobody could be identified, but said it would likely only be done through a 'very advanced way'. A data expert said the scale and persistence of the problem was 'shocking'. The charity which runs Biobank told the government about the data breach on Monday.
The exposed files do not include names or addresses, according to multiple reports. The information did not include names, addresses, contact details or telephone numbers. UK Biobank volunteers were between 40 and 69 years of age when they joined between 2006-2010.
How exactly the data ended up for sale on Alibaba remains unclear, as does whether it was uploaded by the same researchers who leaked it on GitHub. The full extent of the data exposed on GitHub that has not yet been removed is unknown. It is also unclear what specific additional security measures UK Biobank is implementing to prevent future leaks, and whether the charity will face any legal or regulatory consequences for the breaches.