Key Points
- Further confidential health records of UK Biobank volunteers have appeared on Alibaba after an earlier breach last week.
- Science minister Patrick Vallance told the House of Lords that the government is working with Chinese officials to remove the new postings quickly .
- Vallance said more listings are likely to emerge because some data had already been downloaded before access was paused .
- The government says the leaked data did not include names, addresses, contact details, telephone numbers or exact dates of birth.
- At least one listing appeared to contain data from all 500,000 UK Biobank volunteers.
- Vallance named three institutions believed to be linked to the postings: Second Xiangya Hospital, China-Japan Union Hospital and Beijing Chaoyang Hospital .
- UK Biobank has revoked access to the three institutions, paused downloads from its platform and referred itself to the Information Commissioner’s Office .
- UK Biobank has also taken action on at least 30 other data breaches in the past month, according to Oxford Internet Institute researcher Dr Luc Rocher.
- Commons committee chair Chi Onwurah said she was “astounded” that some data was still available online and accused UK Biobank of complacency.
What has happened to UK Biobank data?
London (Britain Today News) April 29, 2026 – Further concern has emerged over the security of UK Biobank data after additional confidential health records belonging to UK volunteers were found listed on the Chinese marketplace Alibaba, deepening a breach that was first disclosed last week. The government says it is braced for more leaks, while ministers and officials continue trying to remove the material from circulation . The latest disclosure has intensified scrutiny of how one of the country’s most important medical research databases is protected .
UK Biobank is a non-profit health research charity that holds data donated by 500,000 volunteers and shares it with accredited researchers worldwide. The dataset has underpinned research into heart disease, cancer, dementia, Parkinson’s disease and Covid-19, making it one of the UK’s most significant biomedical resources. However, the latest incident has raised fresh questions about how such sensitive material can be accessed, downloaded and then exposed online again.
Why did Patrick Vallance call this a wake-up call?
Speaking in the House of Lords debate on Tuesday, Patrick Vallance said the government had worked with Chinese officials to remove additional listings after the breach was first reported . He warned that “new listings will emerge” because more postings can appear from earlier downloads, even after the original adverts are taken down . Vallance said the incident should serve as a “real wake-up call” for researchers because de-identified data can still become vulnerable when combined with other information .
He added that there was a “low probability” of re-identification, but stressed that the risk was not zero . Vallance said it is increasingly possible to triangulate large datasets and get close to identifying individuals, which means controls must be stronger than simple trust or contract-based access . In his view, the episode shows that secure data environments are needed so that researchers can work without being able to export data inappropriately .
Which institutions were named?
Vallance identified three Chinese institutions that were understood to be behind the postings: Second Xiangya Hospital, China-Japan Union Hospital and Beijing Chaoyang Hospital . He said the institutions’ access had been revoked and that the government was continuing to work with Chinese officials to remove new postings quickly . The House of Lords debate also made clear that officials believe the listings were removed fast enough that there is no evidence any sale was completed before takedown.
The government’s original statement in the House of Commons said the data had been advertised for sale by several sellers on Alibaba’s platforms in China. It added that at least one of the three datasets appeared to contain data from all 500,000 volunteers. Officials have repeatedly stressed, however, that the material did not include names, addresses, contact details or telephone numbers.
How serious is the exposure?
The immediate security risk is being treated as significant even though the data is described as de-identified . That is because health records can still be linked back to real people when combined with other facts in large datasets, especially if records have already been downloaded elsewhere . Vallance said the episode revealed that the system had not kept up with the scale and sensitivity of the database .
The scale of the wider issue also appears substantial. Dr Luc Rocher of the Oxford Internet Institute, who tracks data breaches, said UK Biobank had already had to deal with at least 30 other breaches in the past month. He has also said the dataset has been exposed many times over a longer period, while some material, including a dataset linked to 96,000 volunteers, remained online for a time after accidental upload. Those claims have helped fuel criticism that the charity’s safeguards were too weak for data of this sensitivity.
What has UK Biobank done so far?
The government says it acted quickly once informed on Monday 20 April. Officials worked with Biobank, the Chinese government and the vendor to remove the three Alibaba listings. They also ensured that UK Biobank revoked access to the research institutions identified as the source of the data.
In addition, UK Biobank paused further access to its platform until a technical solution is put in place to stop data being downloaded in this way again. The charity has also referred itself to the Information Commissioner’s Office . Officials say the board will conduct a rapid review of the safeguards surrounding access to the data, and participants are due to be contacted.
Why are MPs and peers angry?
The incident has prompted sharp criticism from parliamentarians. Chi Onwurah, chair of the Commons science, innovation and technology committee, said she was “astounded” that some data was still online. She said UK Biobank had been complacent about the half a million people who shared their most intimate and personal data and who deserved better.
Others in Parliament have urged stronger technical controls rather than relying on contracts and trust alone . During the Lords debate, peers said the system should prevent downloads altogether and should use secure environments that keep data inside controlled platforms . That criticism matters because UK Biobank’s strength has always rested on public confidence and voluntary participation.
What are the next steps now?
Vallance told peers that the government will soon issue new guidance on the control of data from research studies. He said the guidance will apply to all major UK data resources used for research and that most already use secure platforms that prevent downloading . He also said the UK Biobank review must cover technical, cultural and process failures .
The government has instructed UK Biobank to write to participants as soon as possible and explain what happened . Officials are also trying to confirm the full extent of the material that may still be circulating from earlier downloads . Vallance said some residual downloaded data from before 2024 is likely to be the most vulnerable, and that the challenge now is to eliminate the risk by moving to a genuinely secure environment .
