One of the UK’s most important health research projects is facing growing scrutiny after reports that UK Biobank data has been leaked online at least 198 times in the past year.
The figures suggest the recent high-profile incident — where data linked to 500,000 participants was listed for sale — may not be an isolated issue, but part of a wider pattern.
According to Dr Luc Rocher, a researcher at the Oxford Internet Institute, UK Biobank has experienced at least 30 other data breaches in the past month alone. Some of this data remains online at the time of writing.
To make matters worse, according to media reports, more listings of confidential health records have been posted online since the breach was first reported last week.
What’s been reported
According to researchers tracking the issue, UK Biobank has issued almost 200 legal takedown requests over the past year to remove data that had been published online without permission.
These incidents are understood to involve:
- Data being uploaded to public platforms such as GitHub
- Researchers sharing datasets outside approved channels
- Cases where data may have been passed on informally between individuals.
While many of these uploads appear to have been accidental, some cases involve data that may not have been accessed through official routes at all. UK Biobank has used copyright takedown notices to try to remove this material once identified.
In addition, speaking to the House of Lords about the latest Biobank data breach, science minister Patrick Vallance said:
“New listings will emerge – there have been additional listings posted since the government were made aware of the issue last week – and we continue to work with the Chinese government to remove them quickly”.
The Alibaba incident: part of a bigger picture
The issue gained attention in April 2026, when the government confirmed that a dataset linked to UK Biobank participants had been listed for sale on an Alibaba platform.
Technology minister Ian Murray told MPs that:
- Data linked to more than 500,000 participants may have been involved
- The listings were removed before any confirmed sale
- There was no evidence the data had been purchased.
However, despite the information being “de-identified”, he acknowledged that it was not possible to guarantee individuals could not be identified from the dataset.
According to a report in the Guardian, it was able to re-identify a single participant in a different UK Biobank dataset that had been leaked online. Doing so with just their date of birth and the data of an operation.
Where are the leaks coming from?
Of the incidents that could be traced, many appear to originate from outside the UK.
Reported sources include:
- The United States
- China
- Other countries including Germany, the UK and South Korea.
Researchers say this reflects how widely UK Biobank data is shared across the global research community. That global access is part of what makes the dataset valuable, but it also increases the challenge of controlling how it is used.
Unlike a typical data breach, these incidents are not the result of hacking. Instead, they highlight what happens after data is legitimately accessed.
Researchers are often required to share code, methodology and supporting data. This is intended to improve transparency and allow others to verify findings. But in practice, it can lead to:
- Partial datasets being uploaded publicly
- Entire datasets being shared by mistake
- Data being reused beyond agreed terms.
Experts say that once data appears online, even briefly, it can be copied and redistributed.
How sensitive is the data?
The compromised UK Biobank data is not thought to include direct identifiers like names or addresses. However, it can include:
- Age and date of birth (month and year)
- Health records and medical history
- Genetic and biological data
- Lifestyle information (such as diet, work and sleep patterns).
On its own, this may not identify someone. But combined with other data sources, it may be possible to work out who an individual is (in some cases). This is one of the key concerns now being raised.
What this means for participants
For people who took part in UK Biobank, the situation may feel unsettling. Many participants shared highly personal health information to support medical research.
While there is no confirmed misuse of the data in these cases, the repeated leaks raise questions about:
- How securely the data is being handled
- Who ultimately has access to it
- Whether it can be fully controlled once shared.
The loss of control over sensitive information can be enough to undermine trust and cause significant emotional distress.
At Join the Claim, we monitor developments like this closely. If investigations lead to regulatory action or a potential group claim, we’ll explain what that means and what your options are.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
