Attempted Sale of UK Biobank Data by Chinese Researchers Prompts Security Review and Political Scrutiny
Introduction
Three individuals from separate Chinese research hospitals tried to sell de-identified medical records of about 500,000 UK Biobank participants on the e-commerce platform Alibaba. This incident caused a suspension of global data access and renewed debate about whether security rules for international research partnerships are strong enough.
Main Body
The attempted sale involved listings posted by researchers who had originally gained legitimate access to the UK Biobank database, which contains de-identified health data from NHS volunteers. The listings included fields such as gender, age, month and year of birth, assessment centre data, attendance records, socioeconomic status, and lifestyle habits. However, they did not include names, addresses, or contact details. UK Biobank, a registered charity, reported that it was alerted to the listings by an anonymous whistleblower and then revoked access for the three institutions, although it refused to name them. The listings were removed before any sale took place. As a result, UK Biobank paused global access to its database to prevent further unauthorized downloads and resale. Professor Sir Rory Collins, the charity’s chief executive, apologized to participants for the concern this incident caused. Technology Minister Ian Murray described the leak as an “unacceptable abuse,” and several parliamentarians, including former Conservative leader Sir Iain Duncan Smith and shadow national security minister Alicia Kearns, called for a formal inquiry. This event happened against a background of previous controversy over Chinese researchers’ access to UK Biobank data. In 2023, plans to allow Chinese scientists to access general practitioner records of 503,000 volunteers faced objections from MPs, security experts, and former intelligence chiefs. They warned that the data could be used for bioweapons development or to help China’s biotechnology industry. In April 2024, NHS England audited UK Biobank’s international data-sharing processes, including its review of applications from China, and the audit was passed. Later, in February 2025, Health Secretary Wes Streeting authorized the transfer of coded GP data from all volunteers to UK Biobank. Former MI6 chief Sir Richard Dearlove compared this decision to the cancelled plan to allow Huawei involvement in the UK’s 5G network. MI5 Director General Sir Ken McCallum had previously warned against Chinese interference in science and technology and urged institutions to evaluate risks in partnerships. Alicia Kearns argued that the government had given a “gift to China” and that public trust had been damaged. She demanded clarification on which institutions had their access revoked, which had links to the Chinese state, and who authorized the override of MI5 warnings. Professor Luc Rocher of the Oxford Internet Institute pointed out that this was the 198th known exposure of UK Biobank data since the previous summer. He added that not enough was being done to remove stolen data from the internet, with some data still available for download.
Conclusion
UK Biobank has temporarily stopped global data access while it works to fix security weaknesses. The attempted sale has increased political demands for an investigation into the decision-making process that allowed Chinese researchers to access the database. It has also highlighted ongoing concerns about protecting sensitive health information in international research collaborations.