Medical data of 500,000 Britons put up for sale on Chinese website

Medical data belonging to 500,000 British citizens was listed for sale on the Chinese e-commerce website Alibaba, the UK government said Thursday.

The data is held by the UK Biobank charity and includes genetic sequences, blood samples, medical scans and lifestyle information.

Scientists, both at universities and private companies, can be given access for research purposes under legal contracts committing them to keep it secure.

Despite these protections, the data was found advertised across three separate listings on Alibaba, science minister Ian Murray told the House of Commons, at least one of which appeared to contain data from all 500,000 of the database's volunteers.

Murray added the listings were removed before any sales were made, with the cooperation of the Chinese government and Alibaba.

He said Biobank had informed the government of the incident on Monday and that three research institutions had been identified as the source of the posting. Those institutions’ access to the data has been revoked and Biobank has been asked to pause further data access while security measures are strengthened, Murray added.

“This was not a leak. This was a legitimate download by a legitimately accredited organisation,” he said.

Last year, a report from The Guardian found that one in five successful applications to access UK Biobank data came from China, including from researchers affiliated with BGI — China's largest genomics company — which has been sanctioned by the United States in relation to concerns it has aided surveillance of ethnic minorities.

UK Biobank said the exposed data was “de-identified” and did not contain names, addresses or NHS numbers, although it did include gender, age, month and year of birth, as well as socioeconomic status and lifestyle data.

Privacy experts have previously warned that such information can be sufficient to identify individuals, particularly when cross-referenced with other publicly available data.

In a statement to participants, Biobank chief executive Sir Rory Collins apologized and said the organization had temporarily suspended all access to its research platform. 

An interim measure limiting the size of files that can be exported from the platform was being implemented, Collins said, with a more comprehensive automated checking system not expected to be in place until late 2026.

“We are sorry that this incident has occurred and hope you are reassured by the swift and decisive action we have taken,” Collins said.

UK Biobank has referred itself to the Information Commissioner's Office (ICO) which can fine organizations up to 4% of their annual global turnover for failing to hold personal data securely. Such fines are rare for public sector and non-profit organizations.

The Biobank database, established with government and charitable funding, holds more than 15 million biological samples and health records from volunteers recruited between 2006 and 2010. It is used by researchers worldwide to study diseases including cancer, dementia and diabetes.

The United States government has repeatedly warned of the risks posed by Chinese access to Western health and genomic data. In March 2023, the U.S. Commerce Department added BGI to its trade blacklist, stating that the company’s collection and analysis of genetic information risked the data being diverted to China's military programs.

BGI and the Chinese government denied all allegations of wrongdoing.

A separate U.S. intelligence assessment has described bulk health and genomic data as a “strategic commodity” that China collects for “economic and national security priorities,” adding that unlike a compromised password, genetic data “cannot be replaced.”