Additional confidential health records from UK Biobank volunteers have appeared on Chinese marketplace Alibaba following last week’s major data breach, with the government preparing for more leaks to emerge. The revelation raises serious questions about the security of sensitive medical data used for research purposes.
Science minister Patrick Vallance told the House of Lords that new data listings continue to surface despite government efforts to work with Chinese officials to remove them. The original breach involved health data from 500,000 UK Biobank participants being offered for sale on Alibaba, discovered through an anonymous whistleblower report.
“New listings will emerge – there have been additional listings posted since the government were made aware of the issue last week – and we continue to work with the Chinese government to remove them quickly,” Vallance said during the parliamentary debate. He warned that the breach should serve as a “real wake-up call” for researchers handling sensitive medical information.
The compromised data is technically “de-identified,” meaning it lacks names, addresses, or precise birth dates. However, Vallance acknowledged significant risks remain. “It is increasingly possible to triangulate in large datasets and get close to identification, and that remains a very real risk,” he explained. This concern proved valid when The Guardian successfully re-identified a participant from a different leaked UK Biobank dataset using only their birth date and surgery information.
The scope of the security failures extends beyond the Alibaba marketplace. UK Biobank has reportedly dealt with at least 30 other data breaches in the past month alone, according to Dr. Luc Rocher from Oxford Internet Institute, who tracks such incidents. Some leaked datasets remain publicly accessible online, including detailed information on 96,000 volunteers apparently uploaded accidentally by a Yale University student.
Vallance identified three Chinese medical institutions whose researchers are believed responsible for the Alibaba postings:
- Second Xiangya Hospital
- China-Japan Union Hospital
- Beijing Chaoyang Hospital
The UK Biobank represents one of the world’s most comprehensive health research databases, containing genetic and medical information from volunteers who contributed data to advance scientific understanding of diseases like cancer, heart disease, and dementia. The database has enabled crucial discoveries about genetic risk factors and helped researchers better understand conditions including COVID-19.
Chi Onwurah, chair of the Commons science, innovation and technology committee, expressed strong criticism of the response. “I’m astounded that data is still available online. UK Biobank have been complacent about the half a million British people who have shared their most intimate and personal data with them and who deserve better than this,” she said.
The incident highlights growing concerns about international data sharing in medical research and the challenges of protecting sensitive information across borders. While officials believe no actual sales occurred before the listings were removed, the breach has prompted UK Biobank to temporarily suspend all data access while security measures are reviewed.
A government spokesperson confirmed they are working with UK Biobank to understand the full extent of the breach and ensure proactive steps are taken to remove unauthorized data from online platforms. The response reflects broader tensions around data security and international research collaboration, particularly involving Chinese institutions.
The ongoing situation demonstrates the complex balance between advancing medical research through data sharing and protecting participant privacy. As Vallance emphasized, ensuring a secure data environment going forward will be crucial for maintaining public trust in these vital research programs.