Half‑Million UK Biobank Records Listed on Alibaba, Officials Say Leak Will Persist

The UK Biobank, a research resource containing genetic and health information from 500,000 volunteers, discovered that a de‑identified dataset was listed on the Chinese e‑commerce platform Alibaba. The breach was first reported by a whistle‑blower and quickly prompted an emergency statement from the technology minister.

Lord Patrick Vallance, the UK’s science minister, told the House of Lords that the government has already worked with Chinese officials to take down the postings. He identified three Chinese hospitals—Second Xiangya Hospital, China‑Japan Union Hospital, and Beijing Chaoyang Hospital—as the institutions behind the listings. Vallance warned that “new listings will emerge” and that the UK is coordinating with Chinese authorities to remove them swiftly.

The data were stripped of names, addresses and exact birth dates, a process known as de‑identification. Vallance described the risk of re‑identification—linking anonymized records back to individuals—as low but not negligible, citing a recent Guardian investigation that re‑identified a participant using only a birth date and surgical information. The breach underscores the growing ability to triangulate large datasets and approach personal identification.

In response, UK Biobank has temporarily suspended all data access and is pursuing removal of at least 30 other recent breaches, including a separate leak of 96,000 records uploaded inadvertently by a Yale graduate student. Researchers tracking data breaches, such as Dr. Luc Rocher of the Oxford Internet Institute, confirm that some datasets remain online pending removal.

The incident raises practical concerns for participants and researchers. Volunteers should be aware that even de‑identified data can pose privacy risks, especially when combined with other public information. Researchers must enforce stricter data‑sharing protocols and consider secure, controlled environments for large‑scale datasets.

What to watch next: monitor UK‑China cooperation on data removal and any policy changes aimed at tightening security for large biomedical databases.