Half Million UK Biobank Records Found for Sale on Alibaba, Triggering Privacy Alarm

TL;DR: Three Alibaba listings offered de‑identified data from as many as 500,000 UK Biobank participants. The files have been removed, but experts say similar data remain downloadable elsewhere, renewing calls for tighter controls.

Context The UK Biobank launched in 2003 and recruited 500,000 volunteers aged 40‑69 between 2006 and 2010. It is a prospective cohort study that collects genetic, clinical, lifestyle, and biological samples. Since 2012, researchers have accessed anonymised data to investigate disease causes and treatments. To date, the resource has produced thousands of peer‑reviewed papers. In addition, the project has completed brain, heart, and organ scans for 100,000 participants, enabling imaging‑sub‑studies that have linked alcohol intake to brain structure changes, diabetes to heart alterations, and COVID‑19 to olfactory‑region damage.

Key Facts Last week three separate postings on Alibaba offered data sets described as belonging to up to 500,000 UK Biobank participants. The listings claimed the information was de‑identified, meaning names, addresses, and precise birth dates were stripped. No sales have been confirmed, and the posts were taken down after the alert. Prof Luc Rocher of the Oxford Internet Institute noted that UK Biobank data remains accessible for anyone to download, not only for sale, and described the incident as the 198th known exposure since last summer. UK Biobank’s chief executive, Prof Rory Collins, wrote to participants assuring that personal identifiers are safe and announced new safeguards, including limits on export file sizes and a forensic board‑led investigation.

What It Means The episode highlights a tension between the scientific value of large, linked health datasets and the risk of inadvertent re‑identification. While de‑identification reduces direct privacy threats, experts warn that combining such data with other sources could compromise anonymity. For participants, the takeaway is to monitor any communications from UK Biobank about security updates and to understand that their contribution supports research that may shape future diagnostics and treatments. For researchers and data custodians, the incident underscores the need for robust access controls, regular audits, and clear policies on data sharing.

Watch for UK Biobank’s forthcoming security audit report and any policy changes that could affect how large‑scale health data are shared globally.