Half a Million Health Records Listed on Alibaba. Nobody Can Stop It.

Half a million people gave their health data to science. Now it’s for sale on a Chinese shopping website, and the British government’s best response is to ask politely.

Since the UK Biobank breach was reported last week, new listings of confidential health records have continued appearing on Alibaba. Science minister Patrick Vallance told the House of Lords that the government has been working with Chinese officials to have the postings removed — language that barely conceals how little control Britain actually has.

“New listings will emerge — there have been additional listings posted since the government were made aware of the issue last week — and we continue to work with the Chinese government to remove them quickly,” Lord Vallance told peers.

The government is braced for further leaks.

How it happened

Half a million UK Biobank volunteers — people who donated genetic samples, medical histories, and lifestyle data to a research project aimed at fighting cancer, dementia, and heart disease — had their records listed for sale by researchers at three Chinese institutions. Vallance named them: the Second Xiangya hospital, the China-Japan Union hospital, and Beijing Chaoyang hospital.

UK Biobank learned of the breach not from its own security systems, but from an anonymous whistleblower. Technology minister Ian Murray confirmed the breach in an emergency parliamentary statement. The listings have since been taken down, and officials do not believe any data was actually sold. All access to UK Biobank data has been temporarily suspended.

The data is “de-identified” — stripped of names, addresses, and exact dates of birth. Vallance said there was a “low probability” of re-identification. But “low probability” is not zero, and re-identification tools keep improving. Last month, the Guardian re-identified a single UK Biobank participant from a separate leaked dataset using nothing more than a date of birth and the record of a surgical operation.

“It is increasingly possible to triangulate in large datasets and get close to identification, and that remains a very real risk,” Vallance said.

Thirty breaches in a month

The Alibaba listings are the most visible symptom of a deeper problem. According to Dr Luc Rocher, a researcher at the Oxford Internet Institute who has been tracking the breaches, UK Biobank has taken action on at least 30 separate data breaches in the past month alone. Some data remains publicly accessible right now, including a detailed dataset covering 96,000 volunteers that appears to have been accidentally uploaded by a masters student at Yale University.

UK Biobank said it had asked for the Yale data to be removed and expects it done “shortly.” Asked and expects — the language of an organization that has lost control of its own inventory.

Chi Onwurah, chair of the Commons science, innovation and technology committee, was blunt: “I’m astounded that that data is still available online. UK Biobank have been complacent about the half a million British people who have shared their most intimate and personal data with them and who deserve better than this.”

The limits of asking nicely

The breach lays bare the fundamental weakness of national data-protection law when information crosses borders. UK Biobank distributes data to researchers worldwide under signed agreements that prohibit redistribution. But when a researcher at a Chinese hospital uploads that data to a public marketplace, the enforcement mechanism is a takedown request. Britain cannot compel a Chinese hospital to comply. It cannot force Alibaba to do anything. It can ask, and wait, and ask again.

A government spokesperson said: “We are working with UK Biobank to understand its origin and extent of this data, and to ensure they are taking proactive steps to get it removed.” UK Biobank is a charity independent of government — meaning ministers are essentially asking an organization that has already lost control of its data to take “proactive steps” toward regaining it.

Vallance called the breach a “real wake-up call” and praised the volunteers whose altruism has enabled breakthroughs in genetics, dementia prediction, and Covid-19 research.

A wake-up call presupposes someone was asleep. Thirty breaches in a month is not a napping problem. It is a structural one — and no amount of diplomatic correspondence with Beijing will fix it.

Sources

More private health records of UK Biobank volunteers appear on Chinese website — The Guardian

Discussion (8)

0xNULL

the entire enforcement model here is a terms of service checkbox and a strongly worded email. like securing your house by putting up a sign that says 'please don't steal my stuff' in a language the thieves don't speak. signed agreements = drm for data. same effectiveness.

14 ↑

dave_h_82

And people wonder why I don't trust Chinese companies with anything. Alibaba should be shut down for this. They're literally profiting off stolen medical records of British citizens.

7 ↑

realpolitik_rc

The structural issue here is that UK GDPR enforcement under the Data Protection Act 2018 has no extraterritorial reach against state-adjacent institutions in China. Article 48 restricts transfers to third countries without adequacy decisions, but once the data's already out, the ICO can issue all the fines they want against researchers who'll never set foot in a UK courtroom. Chi Onwurah is right to be astounded, but this was entirely foreseeable when UK Biobank started distributing data globally under what amounts to an honor system. The real question is why it took 30 breaches in a single month for anyone to notice.

21 ↑

Sarah M

I'm one of the half million volunteers. I gave my DNA to help cure cancer, not so some random person at the Second Xiangya hospital could list it on a SHOPPING WEBSITE. I feel sick reading this. My medical history, my genetic information, just... for sale. Next to electronics and fake handbags probably. And the best they can do is ASK them to take it down??? That's it??? I genuinely regret participating now.

26 ↑

honestly the re-identification angle is the part that should worry people more. the guardian found someone with just a dob and a surgery record. 'low probability' is doing a lot of heavy lifting for half a million records... that probability scales

9 ↑

~mira

thirty breaches in one month and they call it a wake-up call... like hitting snooze 29 times and still acting surprised you're late. the data is de-identified except when it isn't. the enforcement is asking nicely except when they ask slightly less nicely. we gave half a million people's health data to science and science put it on alibaba... lovely

17 ↑

chris_t

So my data has been SOLD to random Chinese buyers and the government is doing NOTHING about it?? Half a million people's medical records just sold off and this isn't front page everywhere?? This country is a joke honestly

3 ↑

JenW

Did you even read the article? Officials don't believe any data was actually sold. The listings were taken down.

5 ↑

How it happened

Thirty breaches in a month

The limits of asking nicely

Sources

Discussion (8)

More Stories