UK Biobank Confirms 500,000 Participants' Health Data Listed for Sale on Alibaba

The health data of 500,000 UK Biobank participants was listed for sale on Alibaba, confirmed by UK technology minister Ian Murray. The de-identified data, accessible via academic institutions, constituted a contract breach, leading to immediate access suspension for involved parties.

UK Biobank operates as a biomedical database, providing de-identified genetic, physical, and medical data from volunteers to approved researchers. This supports studies aimed at improving disease prevention and treatment for conditions such as cancer and dementia. Recently, listings appeared on the Chinese e-commerce platform Alibaba offering this sensitive information.

On April 20, UK Biobank alerted the government to three specific listings on Alibaba. At least one listing reportedly contained data from all 500,000 participants. The listed data included de-identified information such as gender, age, month, and year of birth; it did not contain names, addresses, or contact details.

Professor Sir Rory Collins, CEO of UK Biobank, stated that the data originated from three academic institutions. These institutions and the individuals involved had their access suspended for breaching contractual terms. Alibaba swiftly removed all identified listings, preventing any sales from occurring.

This incident highlights critical vulnerabilities in data access management, even for de-identified datasets. Kristy Gouldsmith, a data protection partner, emphasized the public's need to understand how this breach occurred and what measures UK Biobank will implement to prevent future incidents. The listing of 500,000 members' health information on a public e-commerce site represents a significant data security event.

In response to the breach, UK Biobank temporarily suspended all access to its research platform. It also implemented a strict limit on the size of files that researchers can export. This measure allows researchers to export their study results while severely restricting the ability to remove de-identified participant data from the platform.

### What Defenders Should Do

Organizations handling sensitive de-identified data must enforce robust contractual terms and technical controls. Implement data loss prevention (DLP) solutions to monitor and block unauthorized data egress, especially for de-identified datasets. Strengthen access controls, including multi-factor authentication and granular permissions, for all research platforms. Conduct regular security awareness training for all users handling sensitive data, emphasizing contractual obligations and ethical data use.

Watch Next: Monitor for further details from UK Biobank regarding the specific attack vector of the breach and any new industry standards for securing de-identified health data access.