Medical Data of 500,000 UK Biobank Volunteers Listed for Sale on Alibaba
A dataset containing genetic sequences, blood samples, and medical imaging of half a million UK Biobank volunteers was offered for sale on the Chinese e-commerce platform Alibaba, prompting an emergency government response.
Half a million Britons who volunteered their medical data to help cure cancer found their information listed for sale on Alibaba. The UK Biobank charity has informed the British government that a dataset containing the de-identified medical records of 500,000 volunteers was offered for sale on the Chinese e-commerce platform, triggering an urgent security review and the revocation of data access for three research institutions.
Investigators traced the Alibaba listings to three research institutions that had legitimate contracts with UK Biobank. The charity, which holds more than 15 million biological samples and detailed health records from volunteers recruited between 2006 and 2010, immediately revoked their access and paused new data access while strengthening security controls. At least one listing reportedly contained data on all 500,000 volunteers, though Alibaba and Chinese authorities removed the adverts before any sale could be confirmed.
The dataset includes genetic sequences, blood samples, medical imaging, and detailed lifestyle information used for global health research into cancer, dementia, diabetes, and other chronic diseases. UK Biobank emphasizes that the data was "de-identified," meaning it did not include names, addresses, or NHS numbers. However, it still contained granular demographics such as gender, age, birth month/year, socioeconomic indicators, lifestyle details, and health measures — information that privacy experts warn can often be re-linked to individuals by cross-referencing with other public or commercial records.
US intelligence, policy reports, and academic work paint a consistent picture: China treats large, diverse human genomic and health datasets as a strategic resource for both economic and security reasons. The US National Counterintelligence and Security Center (NCSC) explicitly states that the People's Republic of China views bulk healthcare and genomic data as a "strategic commodity" to drive its biotech, AI, and precision medicine industries. Large datasets from non-Chinese populations are particularly valuable for building AI models and improving the global commercial competitiveness of Chinese pharma and biotech.
From an attacker's or foreign intelligence perspective, UK Biobank is a "crown jewel" asset: it is curated, high-quality, population-scale, and much more useful than random breach dumps. Because genetic data is immutable — unlike a password, it cannot be replaced — any compromise has very long-term intelligence usefulness. Last year, the Guardian reported that one in five successful UK Biobank access applications came from Chinese entities, including BGI, China's flagship genomics company that was later placed on the US Entity List over concerns about its role in surveillance of minority populations.
The National Data Guardian, Dr Nicola Byrne, said in a statement: "People who generously share their health data to benefit others through medical research rightly expect it to be kept safe and for there to be accountability when things go wrong." Officials said the researchers downloaded the data under a legitimate contract, but its appearance on Alibaba shows how "approved" access can still turn into public exposure.
The incident raises fundamental questions about the governance of genomic data. Privacy experts recommend that individuals considering volunteering medical data ask who runs the project, how data is stored, who can access it under what controls, whether foreign entities are allowed to access or copy the data, and how re-identification risk is handled. As the UK Biobank incident demonstrates, "de-identified" is not a magic word, and the immutable nature of genetic data means that any exposure carries permanent consequences.