Cyber Incident Victim: UK BioBank

On 23 April 2026 the UK government confirmed that health information from 500,000 participants in the UK Biobank project had been listed for sale on a Chinese e‑commerce platform. Technology minister Ian Murray told MPs that the listings appeared on Alibaba’s Taobao site and that the data did not include names, addresses, contact details, telephone numbers or NHS numbers. He said the information could include gender, age, month and year of birth, socioeconomic status, lifestyle habits and measures taken from biological samples. The charity that runs UK Biobank said it had been informed of the listings on Monday and was investigating the incident. Murray added that the UK Biobank charity had identified that the data had been advertised for sale by several sellers on Alibaba’s platforms in China. He stated that at least three listings had been found, one of which appeared to contain data from all 500,000 volunteers, and that no purchases had been made from any of the listings. According to the government, the breach originated from research organisations that had been granted legitimate access to the data, not from a hacker group, and access by those organisations has since been revoked.

UK Biobank’s chief executive Prof Sir Rory Collins told participants that the listings had been swiftly removed after being discovered and that the data involved had been made available to researchers at three institutions whose access has now been suspended. He said the data are de‑identified and do not contain any personally identifying information such as names, addresses, dates of birth or NHS numbers. In response to the incident UK Biobank announced a temporary suspension of access to its research platform while a strict limit is imposed on the size of files that can be removed from it, and said it would monitor file exports daily for any suspicious behaviour. The charity also said it would conduct a comprehensive and forensic board‑led investigation of the incident. Murray told Parliament that a pause had been placed on access to the Biobank while a technical solution is implemented to prevent data from being downloaded in this way again, and that the government would be issuing new guidance on control of data from research studies. He thanked the UK and Chinese governments as well as Alibaba for their support and cooperation in having the listings removed. The Information Commissioner’s Office said it had been made aware of the incident and was making enquiries.

Volunteer reaction included comments from Guardian columnist Polly Toynbee who said she was not worried because the data are anonymised and cannot be linked back to individuals. Murray noted that thousands of Chinese researchers have worked with the Biobank safely and securely since 2012 and criticised the tone of questions that framed the incident as a theft scandal. He also said the UK taxpayer had funded approximately £200 million to set up the Biobank. Studies using Biobank data have already produced findings such as genes that affect the risk of heart disease or cancer, new ways to predict dementia and early warning signals for cancers and Parkinson’s disease. Some experts warned that detailed de‑identified health data could still be re‑identified when combined with other information, although the government and UK Biobank maintain that the data released did not contain personal identifiers. The incident occurred as the UK government prepares to launch a data‑sharing initiative for GP records to other organisations including the Biobank.