Diagonal test tubes with blood with blue lids ready for test. Concept of medicine and science. 3d rendering

UK Biobank breach: can anonymised health data be traced back to you?

The UK Biobank breach has been described as “limited” because the data involved was anonymised. That means no names, addresses or obvious identifiers. 

But that doesn’t mean no risk.

Following the breach, questions are now being raised about whether the data could still be used to identify individuals. 

What was exposed in the UK Biobank breach?

UK Biobank is a large-scale medical database made up of volunteers across the UK. Participants originally joined between 2006 and 2010, providing health information, lifestyle details and biological samples.

Last week, technology minister Ian Murray told MPs there had been a serious data incident, which resulted in highly confidential Biobank information being listed for sale. The technology minister also said there was no guarantee individuals could not be identified from the data.

This wasn’t a hack. The data was accessed legitimately by an approved research organisation, and then allegedly put up for sale in breach of its agreement.

The data has since been found on three separate listings on the Chinese e-commerce site Alibaba. According to the technology minister, ‘At least one of these three datasets appeared to contain data from all 500,000 UK Biobank volunteers’.  

This isn’t generic data. It’s: 

  • Long-term health information 
  • Linked to biological samples 
  • Built to be detailed enough for medical research.  

In simple terms, the data was anonymised, but still highly detailed. And that level of detail can increase the risk of re-identification. 

The government has said there is no evidence the data was purchased before the listings were taken down. However, concerns remain, as once data is exposed it can be difficult to fully contain: 

  • The data was listed online, meaning it could have been copied before removal 
  • Multiple listings suggest wider access or distribution.  

This raises questions about how widely the data may have been shared before it was taken down. 

Experts have warned about this before

Academic research and real-world reporting have shown that, in some cases, individuals can be identified from anonymised datasets using only a small number of data points. 
 

There have also been instances where: 

  • Health data has been linked back to individuals through cross-referencing 
  • Supposedly anonymous records have been matched with other datasets  
  • Publicly available information has been enough to confirm identities.  

In the context of UK Biobank, that raises a clear concern: if someone had access to both this dataset and other data sources, could they piece together who is who?

If re-identification were possible, the implications are serious. 

Health data can reveal:

  • Medical conditions 
  • Genetic risks 
  • Lifestyle choices 
  • Personal circumstances. 

In the wrong hands, that could lead to:

  • Profiling or targeting 
  • Discrimination 
  • Blackmail or coercion.  

Even if those outcomes are unlikely, the exposure itself changes the risk landscape.

For many people, even if the data was anonymised, knowing that sensitive health information has been exposed can feel unsettling.

Participants shared details about their bodies, lifestyles and medical histories in good faith, often to support research that could benefit others. Finding out that this data may have been mishandled or listed for sale can lead to a loss of trust, anxiety about how it might be used, and a sense that something private has been taken out of their control.

The data may have been anonymised, but the concerns it raises are very real. As investigations continue, questions around data control, trust and accountability are unlikely to go away. 

At this stage investigations into the Biobank breach are ongoing. It is not yet clear whether any legal action will follow. If a group action or formal claim is investigated by a regulated partner law firm, we’ll explain what it means and how to take part. 

Find out more

Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.  

This information is for general guidance only and does not constitute legal or financial advice.

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

Tesco supermarket trolleys stacked in a line.
What claims should be on your radar in June 2026?
From the Tesco equal pay case to the latest Capita data breach claim update, here are the compensation claims and legal developments to watch in June 2026.
Could your landlord owe you compensation for failing to protect your deposit?
If your landlord failed to protect your tenancy deposit correctly, you could be entitled to compensation. Learn your rights and find out what to do next.
Warning for app fraud alert on smartphone
APP fraud explained — what it is and how to protect yourself
APP fraud cost UK victims over £450m in 2024. Find out how the reimbursement rules could help you claim your money back.
Beautiful Middle Eastern Manager Sitting at a Desk in Creative Office. Young Stylish Female with Curly Hair Using Laptop Computer in Marketing Agency. Colleagues Working in the Background
How to make a Subject Access Request
We cover everything you need to know about making a Subject Access Request, from identifying when a SAR is necessary to understanding your rights to a response.
University of Nottingham data breach claim
University of Nottingham cyber-attack: what students and graduates need to know
The University of Nottingham has confirmed a major cyber-attack affecting current and former students. Find out more…
Supermarket workers: You could have multiple equal pay claims
Worked at more than one supermarket? You could have multiple equal pay claims. Find out if you're eligible and how to take action today.
Next equal pay ruling: What it means for supermarket workers
Next store workers won their equal pay claim—could supermarkets be next? Find out how this ruling could impact retail employees and equal pay claims.
Icons of major social media applications are displayed on a smartphone screen with the United Kingdom flag in the background. Discussions are ongoing in the UK regarding strict age verification measures and a potential ban on social media usage for minors under 16.
UK set to ban under-16s from social media in landmark move
The UK government has announced plans to ban under-16s from social media. We explain what has been proposed.
Close-up of a person using a smartphone with the ChatGPT app open.
Are ChatGPT conversations appearing in Google search results? Here’s what we know.
Reports claim ChatGPT conversations are appearing in Google search results. We examine what's really happening.
Woman holding iPhone with logo of application Booking.com on the screen, using mobile application
Booking.com faces proposed £2 billion consumer claim over hotel prices
A proposed £2 billion claim alleges Booking.com's pricing practices inflated hotel costs for millions of UK travellers. Here's what we know so far.
Warning to supermarket store workers: If you want equal pay compensation, you’ll need to claim it!
Many UK supermarket workers are confused about equal pay claims. Learn why backpay isn’t automatic and what opt-in group actions really mean.
Close-up of the NHS - National Health Service logo on the exterior of St. Thomas Hospital in London, UK
What is the NHS Single Patient Record, and why is it being debated?
Plans for a NHS Single Patient Record moved a step closer last week. But there are important questions about privacy & data security.
Teenagers with smartphones on social media near white wall indoors
Social media is facing growing scrutiny. Here’s why.
Explore the growing debate around social media safety, online harms, platform accountability, child safety, addictive features and digital rights.
An expert hacker is decrypting data while hiding their face
Hackers are changing tactics – and it could mean more data breaches
Hackers are increasingly exploiting software vulnerabilities rather than stealing passwords. Here's what that could mean for UK consumers.
Managing the validity of digital document checklists
New data complaint rules are coming in June 2026
New data protection complaint rules take effect on 19 June 2026. Find out what organisations must do and what the changes mean for consumers.
View all news

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims