Private UK Health Records Found for Sale on Chinese Platform
The confidential health records of 500,000 British volunteers were offered for sale on a Chinese website, the UK government has confirmed. The data, described as “de-identified,” belonged to participants in the UK Biobank project and was discovered on three separate listings last week.
Ian Murray, the UK technology minister, informed the House of Commons on Thursday that, following cooperation with the Chinese government and Alibaba, the listings had been removed. It is not believed that any sales were completed.
This incident follows a previous revelation by last month regarding another breach of sensitive UK Biobank data, raising concerns about the adequacy of security measures.
“On Monday 20 April, the UK Biobank charity informed the government that it had identified their data had been advertised for sale by several sellers on Alibaba’s e-commerce platforms in China,” Murray said.
“Biobank told us that three listings that appear to sell … Biobank participation data had been identified. At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.”
Murray added: “I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove those listings and the ongoing work to remove any further listings.”
UK Biobank has referred itself to the Information Commissioner’s Office (ICO) following the breach.
Concerns Raised Over Data Security and Public Trust
Chi Onwurah, chair of the Commons science, innovation and technology committee, described the breach as “incredibly serious” and noted it as “yet another blow to public trust at a time when we need the benefits of digitalisation to be embraced by all.”
“It’s really coming to something if we’re having to rely on the Chinese government to keep our data secure,” she added.
The UK Biobank holds extensive health data from 500,000 volunteers, including genome sequences, brain scans, blood samples, and diagnostic records. Access to this data is granted to scientists at universities and private companies worldwide. The project has been hailed as the “jewel in the crown of UK science.” In February, health secretary Wes Streeting issued a directive allowing coded GP data of all volunteers to be shared with UK Biobank for the first time.
The data advertised on Alibaba was “de-identified,” meaning it did not include names, addresses, or exact dates of birth. However, such data can still pose privacy risks. Last month, another UK Biobank dataset leaked online provided access to extensive hospital diagnosis records for an individual.
Government and UK Biobank Response
Murray stated that the government ensured UK Biobank revoked access for the three research institutions identified as the source of the data. UK Biobank has also temporarily suspended all access to its data.
Since 2024, scientists have been required to analyze data within UK Biobank’s cloud-based research platform, a system designed to enhance data security. Researchers must sign agreements not to download raw participant data, but there has been no technical restriction preventing downloads. A data privacy expert described this as “an extraordinary failure.”
Prof Felix Ritchie, an economist at the University of the West of England, criticized UK Biobank’s handling of data:
“UK Biobank had been ‘supremely careless’ with volunteers’ data. ‘They have been irresponsible and it’s really sad because UK Biobank is a fantastic resource.’
“I don’t think they’ve got a grip of it. The amazing thing today is that it is for sale on the public internet. I expect that there’s lots more information on the dark web. And once it’s out there, you can’t get rid of it.”
Prof Rory Collins, chief executive and principal investigator of UK Biobank, responded:
“We take the protection of participants’ data extremely seriously and do not tolerate any form of data misuse. With support from the UK government, Chinese authorities and Alibaba, three listings for de-identified data were swiftly removed before a sale was made. The actions of these individuals are a clear breach of the contract they signed with UK Biobank and they, along with their academic institutions, immediately had their access suspended.
“We apologise for the concern this will cause and have already put in place technology, processes and a board-led review to stop this happening again. We have also taken our research platform offline while we add a further upgrade that helps prevent de-identified data being taken out of the platform. We expect this to take three weeks. Our existing plans to implement an automated ‘airlock’ that checks files and data continues at pace.”
How to Contact Securely
emphasizes the importance of first-hand accounts from knowledgeable individuals for public interest journalism. They offer secure methods for confidential communication:
app includes a tool for sending tips about stories. Messages are end-to-end encrypted and concealed within routine app activity, preventing observers from detecting communication or content.
If you do not have app, it is available for download on iOS and Android. After installation, select ‘Secure Messaging’ from the menu.
Additionally, their guide at the.com/tips outlines various secure contact methods and discusses their advantages and disadvantages.
