UK Biobank, one of the world's most comprehensive stores of health information, holds medical records of 500,000 British volunteers who were between 40 and 69 when they joined between 2006 and 2010, according to the Guardian investigation. Founded in 2003 by the Department of Health and medical research charities, the database has been cited in more than 18,000 peer-reviewed scientific papers, the investigation reported. In late 2024, the government extended Biobank's access to volunteers' GP records, the investigation noted.
The Guardian investigation found that scientists approved to access Biobank's sensitive data have sometimes been cavalier about its security. Until late 2024, researchers were free to download data directly onto their own computer systems, and data had been inadvertently published online by researchers uploading code to GitHub, the investigation found. One dataset found by the Guardian contained millions of hospital diagnoses and associated dates for more than 400,000 participants. With the consent of a Biobank volunteer, the Guardian was able to pinpoint extensive hospital diagnosis records for the volunteer using only month and year of birth and details of a major surgery. One data expert told the Guardian the scale and persistence of the problem was 'shocking'. The exposed files do not include names or addresses, according to multiple reports.
The UK Biobank charity informed the Government that it had identified their data had been advertised for sale by several sellers on Alibaba e-commerce platforms in China. Biobank told us that in three listings that appeared to sell... Biobank participation data had been identified. At least one of these three data sets appear to contain data from all 500,000 UK Biobank volunteers.
UK Biobank rejected the concerns, saying no identifying data such as names and addresses were provided to researchers. UK Biobank CEO Sir Rory Collins said they have never seen any evidence of a UK Biobank participant being re-identified by others. UK Biobank prohibits researchers from sharing data outside their systems and has introduced further training. Between July and December 2025, UK Biobank issued 80 legal notices to GitHub to remove data.
Technology minister Ian Murray confirmed the data was listed for sale on Alibaba and called the breach an 'unacceptable abuse' of data. The charity which runs Biobank told the Government about the data breach on Monday. The information did not include names, addresses, contact details or telephone numbers, and had been legitimately downloaded by three research institutions in China, which have had their access revoked. No purchases were made from the three listings on Alibaba, and the listings have been taken down with the Chinese Government co-operating. At least one of the three data sets appeared to contain data from all 500,000 UK Biobank volunteers. The data involved could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.
UK Biobank CEO Sir Rory Collins said the charity had temporarily closed access to the research platform. He apologised to participants and said additional security measures will be put in place. Ian Murray said he could not give a complete guarantee that nobody could be identified. The full timeline of the Alibaba listings and when exactly they were taken down remains unclear, as does how the three Chinese research institutions obtained the data that was later listed for sale. It is also unknown how many total data exposures have occurred via GitHub and other platforms, and what specific security measures UK Biobank will implement to prevent future breaches.