The genetic sequences, medical scans, and lifestyle records of half a million British volunteers spent days listed for sale on Alibaba before anyone at UK Biobank noticed.
Three academic institutions, since banned from the platform, had quietly walked the data out through a research system that was supposed to keep it under lock and key.
At least one of the three Alibaba listings appeared to contain the full dataset covering every one of the 500,000 participants who handed over their blood, their DNA, and decades of personal health information on the understanding it would be used for medical research.
The UK government confirmed the breach on Thursday. Technology minister Ian Murray told the House of Commons that Biobank had flagged the incident on Monday, and that the Chinese government and Alibaba had cooperated to pull the listings down before any purchases went through. Murray thanked Beijing directly for its “speed and seriousness” in taking down the data, a sentence that carries some weight given the three research institutions identified as the source are Chinese, though officials have declined to draw conclusions about intent.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Professor Rory Collins, Biobank’s chief executive and principal investigator, issued a statement saying the listings “were swiftly removed before any purchases were made.” He apologized to participants and confirmed that access to the research platform had been suspended while the organization installs file size limits designed to stop researchers from walking off with bulk datasets.
An automated checking system to vet outgoing files is not expected to be ready until late 2026.
The sales listing is not the scandal. The scandal is what the sales listing reveals about how often Biobank’s data has already been exposed and where it now sits.
Prof Luc Rocher of the Oxford Internet Institute has been tracking the problem and maintains a public record of known incidents. By his count, the Alibaba posting is “the 198th known exposure of UK Biobank data since last summer.” Rocher added that the data “is not just available for sale, it also remains available online for anyone to download today.” Researchers have repeatedly uploaded the dataset to code-sharing platforms by accident, and copies have since been replicated across the web. Taking down one Alibaba listing does nothing about the other 197.
Biobank’s response to this pattern has been to emphasize that the data is “de-identified” and that no participant has been knowingly re-identified. The reassurance rests on a technical claim that does not survive contact with the evidence.
The Guardian, working from just two pieces of commonly available information, identified a single Biobank participant last month. Genetic sequences, detailed medical histories, and lifestyle data are among the most identifiable records a person can generate about themselves, and stripping off a name does not change that.
UK Biobank was founded by the Department of Health in partnership with medical research charities, including the Wellcome Trust and the Medical Research Council.
It recruited half a million volunteers aged 40 to 69 between 2006 and 2010, collecting blood samples, genetic sequences, imaging scans, and ongoing lifestyle information. Access was supposed to work through a closed system. Researchers at accredited institutions would log in, run their analysis on the platform, and export only results.
Until 2024, though, accredited institutions were handed bulk datasets directly to store on their own servers. The access rules changed, but the contractual ban on downloading datasets off the new platform sat alongside a technical system that still allowed it.
Murray acknowledged this gap in the Commons, saying that the system “also allowed you to do, although you were contractually as an accredited organization not supposed to do, is download the datasets.” The current thinking, he said, is that the three Chinese institutions downloaded the full dataset to local storage, and the data then ended up on Alibaba through means still being investigated.
The UK Biobank breach is the kind of story that should change how people think about handing over medical data, but it probably won’t. Half a million volunteers gave their blood, their genetic sequences, their imaging scans, and decades of lifestyle records to a research project run by the Department of Health and the Wellcome Trust. They did it for cancer research, for dementia research, for Parkinson’s. They were told the data would sit behind layers of access controls.
What they were not told is that “access controls” meant a contractual promise that researchers would not download the dataset, paired with a technical system that let them download it anyway.
The custodianship promise has failed at a rate of roughly one breach every two days for nearly a year, and the failures are systemic. Each leak has its own story, a careless upload to GitHub, a misconfigured server, three Chinese institutions that allegedly walked the data straight onto a shopping site.
Biobank’s response is to add file size limits and to point at “rogue researchers,” language that locates the problem in three bad actors instead of in a system that gave thousands of people worldwide practical access to copy one of the most sensitive datasets ever assembled.
The reassurance that the data is “de-identified” does not survive contact with the evidence, given that the Guardian identified a Biobank participant last month using two pieces of commonly available information. Genetic sequences are not the kind of record a name can be peeled off.
What makes this worse is the world the data is leaking into. Medical and genetic information is now the single most valuable training input for the AI systems being built across healthcare, advertising, insurance, and government.
Once a dataset reaches the open web, it does not stay in one place. It gets ingested. Researchers at MIT presented work at NeurIPS last year showing that foundation models trained on de-identified electronic health records memorize patient-specific information, and that adversarial prompts can pull individual records back out.
Membership inference attacks on genomic models can determine whether a specific person’s DNA was in the training set. Model inversion attacks on a personalized warfarin dosing system reconstructed patients’ genetic markers from queries alone. The premise that anonymization protects you is a premise from a different decade.
The 23andMe bankruptcy made the financial logic clear. Genetic data does not get destroyed when a company fails. It gets sold to whoever bids highest, which means the consent you gave in 2008 covers uses by entities that did not exist when you signed up. Biobank operates on a similar trajectory.
Volunteers consented to medical research conducted by accredited scientists working on a closed platform. They did not consent to their genome being on a Chinese e-commerce site, on GitHub, on servers Biobank cannot reach, or in the training data of a future large language model that some company will build using whatever scraped corpus is available.
None of those uses required a separate breach to enable. They required only the breach that has already happened, multiplied by the fact that data on the internet replicates faster than any takedown notice can chase.
The deeper problem is that medical data has properties that no other category of personal information has. You can change a password. You can cancel a credit card. You cannot revoke your DNA.
The genetic sequence currently sitting on whatever servers the Alibaba listing was scraped to before the takedown will identify the volunteer who provided it for the rest of their life, and will identify their children, and their siblings, and anyone closely related to them, none of whom consented to anything. The medical scans are equally permanent. The lifestyle data, decades of it, paints a picture detailed enough that the Oxford Internet Institute’s Luc Rocher could identify individuals from a fraction of it.
Hand this category of information to an institution and you are not lending it. You are releasing it, and the release becomes irreversible the moment any custodian fails, which by Biobank’s own count, is now 198 times.
The case for centralized medical research databases rests on the assumption that custodians can keep them secure.
Biobank’s track record over the past year is the empirical answer to that assumption. The case for handing medical data to AI companies, healthcare chatbots, wellness apps, and direct-to-consumer genetic testing services rests on the same assumption, applied to organizations with weaker safeguards, shorter institutional memories, and stronger commercial incentives to find new uses for the data after the fact.
The volunteers who signed up in 2006 did so under a model of consent that the technology has since rendered obsolete.
Anyone considering whether to hand over their genome, their scans, or their health records today should look at the Biobank numbers and notice that the question is no longer whether the data will leak. It is when, to whom, and into which AI system trained on which corpus collected by which company that does not yet exist.
