The UK government has confirmed that details of 500,000 UK Biobank members were offered for sale online in China, in what technology minister Ian Murray called an 'unacceptable abuse' of data. The charity running Biobank informed the government about the breach on Monday.
The information exposed did not include names, addresses, contact details or telephone numbers, according to Ian Murray. However, the data could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples. One dataset contained millions of hospital diagnoses and associated dates for more than 400,000 participants. Murray said he could not give a complete guarantee that nobody could be identified, but said it would likely only be done so through a 'very advanced way'.
Technology minister Ian Murray called the breach an 'unacceptable abuse' of data.
The breach originated from legitimate access by three research institutions in China, which had been granted permission to download data for approved research. The UK government confirmed that the three institutions have had their access revoked. MI5 had previously warned about concerns that Chinese research groups may share data with Chinese intelligence agencies. The breach was not the result of a hacker group but rather a misuse of authorized access.
No purchases were made from the three listings on Alibaba, according to ministers. The listings have been taken down with the cooperation of the Chinese government. Ian Murray thanked the Chinese Government for their co-operation. At least one of the three data sets appeared to contain data from all 500,000 UK Biobank volunteers, Murray stated.
Ian Murray thanked the Chinese Government for their co-operation.
In response, UK Biobank's chief executive, Sir Rory Collins, said the charity had temporarily closed access to the research platform. He apologised to participants and said additional security measures will be put in place. A pause has been placed on access to the Biobank while a technical solution is implemented. UK Biobank has also introduced additional training for researchers and is proactively searching for leaked repositories.
The re-identification risk of de-identified data has been a point of contention. The Guardian demonstrated that a volunteer could be re-identified using only month and year of birth and details of a major surgery, raising privacy concerns. However, UK Biobank rejected these concerns, stating no identifying data was provided to researchers. Prof Sir Rory Collins stated there is no evidence of any UK Biobank participant being re-identified by others.
Ian Murray said he could not give a complete guarantee that nobody could be identified, but said it would likely only be done so through a 'very advanced way'.
This incident is not isolated. Research has shown that confidential health data from UK Biobank has been exposed online on dozens of occasions. Until late 2024, researchers were free to download data directly onto their own computer systems. Data was inadvertently published on GitHub when researchers uploaded code along with partial or entire Biobank datasets. UK Biobank issued 80 legal notices to GitHub between July and December 2025 to remove data.
UK Biobank is the world's most comprehensive dataset of biological, health and lifestyle information, according to multiple reports. It holds medical records of 500,000 British volunteers who were between 40 and 69 years of age when they joined between 2006 and 2010. The Biobank was founded in 2003 by the Department of Health and medical research charities. Data from Biobank has been cited in more than 18,000 peer-reviewed scientific papers.
There is a contradiction in the nature of the exposure: initial reports indicated that de-identified data was listed for sale on a Chinese consumer website (Taobao), suggesting malicious intent. However, data was also inadvertently exposed on GitHub due to researcher error, indicating negligence. Both may be true as separate incidents. The listings on Taobao were swiftly removed before any purchases were made, according to Prof Sir Rory Collins.
Several unknowns remain. It is unclear how many distinct data exposure incidents occurred, including both GitHub leaks and sale listings. The specific Chinese research institutions involved and their relationship with UK Biobank have not been disclosed. The timeline of the breach discovery and response actions is also not fully known. Additionally, the number of participants whose data was actually exposed in the GitHub leaks has not been confirmed.