Your Medical Records Were Being Sold on Alibaba.
Quick Reads
- DNA and health data from 500,000 UK Biobank volunteers appeared for sale on Alibaba
- Three Chinese research institutions were identified as the source of the listings.
- No purchases were made before the listings were removed
- UK Biobank has referred itself to the Information Commissioner’s Office
- Further data access has been paused pending stronger security measures
Half a million people signed up to help science understand ageing and disease. They gave blood samples, answered personal questions, and trusted a world-renowned charity with their most private biological information. This week, that trust took a serious hit.
The UK Biobank data breach has sent shockwaves through both the scientific community and government halls in London. DNA and health data from 500,000 Biobank volunteers were found advertised for sale in three separate listings on Alibaba’s e-commerce platform in China, UK Technology Minister Ian Murray told lawmakers in the House of Commons on Thursday. The listings did not include names, addresses, or contact details, but the data was detailed enough that officials acknowledged it could not be guaranteed that individuals would remain unidentifiable if the records fell into the wrong hands.
Murray described the incident as “an unacceptable abuse of the UK Biobank charity’s data and an abuse of the trust that participants readily expect.” Three Chinese research institutions with legitimate, approved access to the Biobank dataset were identified as the source of the postings. Their access has since been revoked, and Biobank has been asked to pause all further data sharing while a technical fix is implemented to prevent mass downloads from its current platform.
The UK Biobank data breach came to the government’s attention when Biobank notified officials on Monday. Working alongside the Chinese government and Alibaba, British authorities moved quickly to have the three listings removed before any sale was completed. Murray confirmed no purchases were made. The cooperation of Chinese authorities, he added, deserved acknowledgement.
Biobank’s chief executive, Professor Sir Rory Collins, issued a public apology to volunteers, saying their identifying information remained safe but confirming that listings offering access to the research data had appeared on what he described as a “Chinese consumer website.” He noted that an interim measure limiting the size of file exports was being implemented immediately, while a more comprehensive automated checking system is not expected to be in place until late 2026.
The charity has referred itself to the Information Commissioner’s Office, which has the power to issue fines of up to 4% of annual global turnover for failures to protect personal data, though such penalties are rare for non-profit organisations. The Biobank database holds more than 15 million biological samples and health records from volunteers recruited between 2006 and 2010. It is relied upon by researchers worldwide studying cancer, dementia, and diabetes, among other conditions.
This is not the first time questions have been raised about Chinese access to the database. A report from The Guardian last year found that one in five successful applications to access UK Biobank data came from Chinese institutions, including some affiliated with BGI, China’s largest genomics company, which has been sanctioned by the United States over concerns about surveillance of ethnic minorities. A separate US intelligence assessment has described bulk health and genomic data as a “strategic commodity” that cannot, unlike a compromised password, be replaced.
