UK private health records advertised for sale on Alibaba, government confirms

By News DeskPublished On: April 24, 2026Last Updated: April 24, 2026

Private UK Biobank records from 500,000 volunteers were listed for sale on Alibaba, the government has confirmed.

The de-identified information, belonging to participants in the UK Biobank project, appeared in three separate listings, with at least one seeming to contain data from the full volunteer group.

De-identified means names, addresses and exact dates of birth were removed, but the data can still carry privacy risks.

The government said the listings were removed after UK officials worked with Alibaba and the Chinese government, and it is not believed any sales were made.

Technology minister Ian Murray told MPs that UK Biobank alerted the government on 20 April after finding the listings on Alibaba’s e-commerce platforms in China.

He said the charity had identified three listings that appeared to offer Biobank participation data for sale.

“At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers.

“I want to thank the Chinese government for the speed and seriousness with which they worked with us to help remove those listings and the ongoing work to remove any further listings.”

The latest breach comes after sensitive UK Biobank data was reportedly exposed online dozens of times last month, raising fresh questions about whether security has been too lax.

UK Biobank holds health data from 500,000 volunteers, including genome sequences, brain scans, blood samples and diagnostic records. Scientists at universities and private companies around the world can apply to access the resource.

Earlier this year, health secretary Wes Streeting issued a legal direction allowing the coded GP data of all volunteers to be shared with UK Biobank for the first time.

The data advertised on Alibaba was de-identified, meaning it did not include names, addresses or precise dates of birth. But this kind of data can still pose privacy risks.

Last month, the Guardian reported it had apparently re-identified a participant in another leaked UK Biobank dataset, which provided access to extensive hospital diagnosis records for that individual.

Murray said access had been revoked for the three research institutions identified as the source of the data, while UK Biobank had temporarily suspended all access to its datasets.

Since 2024, researchers have been required to analyse data through Biobank’s cloud-based research platform, which was introduced to strengthen security.

However, it is understood there has been no technical block preventing raw participant data from being downloaded.

UK Biobank has referred itself to the Information Commissioner’s Office.

Chi Onwurah, chair of the Commons science, innovation and technology committee, said the “incredibly serious” breach was another blow to public trust.

“It’s really coming to something if we’re having to rely on the Chinese government to keep our data secure.”

Felix Ritchie, an economist at the University of the West of England, said: “They have been irresponsible and it’s really sad because UK Biobank is a fantastic resource.

“I don’t think they’ve got a grip of it.

“The amazing thing today is that it is for sale on the public internet. I expect that there’s lots more information on the dark web. And once it’s out there, you can’t get rid of it.”

Rory Collins, chief executive and principal investigator of UK Biobank, said the organisation had acted quickly after the listings were identified.

He said: “We take the protection of participants’ data extremely seriously and do not tolerate any form of data misuse.

“With support from the UK government, Chinese authorities and Alibaba, three listings for de-identified data were swiftly removed before a sale was made.

“The actions of these individuals are a clear breach of the contract they signed with UK Biobank and they, along with their academic institutions, immediately had their access suspended.”

“We apologise for the concern this will cause and have already put in place technology, processes and a board-led review to stop this happening again.

“We have also taken our research platform offline while we add a further upgrade that helps prevent de-identified data being taken out of the platform.

We expect this to take three weeks. Our existing plans to implement an automated ‘airlock’ that checks files and data continues at pace.”

British Business Bank commits £100m to health tech investment fund

G2 Speech achieves self-certified supplier status on NHS England AVT Registry

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
lfuuid	9 years 11 months	Third party (Lead Forensics) cookie which enables us to track visitor behaviour on our site. Tracking is performed anonymously until a user identifies themselves by submitting a form.
tl_554_555_1	1 month	No description
tl_554_605_2	1 month	No description
tlf_1	5 days	No description