Medical data from 500,000 UK Biobank participants was briefly listed for sale online in China after being accessed by authorised researchers who breached data-sharing rules.
The UK government confirmed the datasets appeared on Alibaba, uploaded by three institutions with legitimate access. This was not a hack but a misuse of approved access, with Technology Minister Ian Murray stating, “This was a legitimate download by a legitimately accredited organisation.”
Although the data was de-identified, it still included sensitive details such as age, gender, and medical information, which experts warn can sometimes be re-identified. UK Biobank has suspended access, revoked permissions, and notified regulators, while senior figures described those responsible as “rogue researchers.”
The incident highlights a growing security gap, where trusted users can expose sensitive data without any technical breach.
To reduce this risk, organisations should limit data access, monitor usage closely, and apply stronger controls on how data can be downloaded and shared, rather than relying on trust alone.