Personal data belonging to approximately 500,000 volunteers registered with UK Biobank has been hacked and listed for sale online, according to technology minister Ian Murray, who informed MPs following the incident.
The breach reportedly involved health-related information from the large-scale biomedical database, which is widely used for medical research across the UK and internationally.
The compromised data was allegedly offered for sale via the Alibaba platform, a global online marketplace, with reports indicating the listing appeared on three separate occasions. No confirmed sales have been made.
Commenting on the incident, Kristy Gouldsmith, Data Protection Partner at law firm Spencer West, said there is a need for greater transparency over how the breach occurred and what steps will be taken to prevent recurrence.
“The public needs to understand how this breach happened and what UK Biobank will do to prevent further breaches,” said Gouldsmith.
She described the incident as significant given the scale of the dataset involved, adding that the organisation should explain how such a large volume of sensitive information was accessed and listed for sale.
Outside of this incident, there have been wider efforts within the NHS to strengthen cyber resilience, with a national cybersecurity strategy focused on improving coordination, early threat detection and secure-by-design systems across healthcare organisations.
UK Biobank has not yet publicly detailed the technical cause of the breach or confirmed the specific categories of data affected beyond the reported volunteer records.