Biobank data incident caused by 'a few bad apples', boss says

24 Apr 2026, 10:00

Professor Sir Rory Collins told the BBC that, as Biobank's boss and also a participant, he is "angry" and "upset" about the data breachBBC

The boss of UK Biobank Professor Sir Rory Collins has said a "few bad apples" were behind the incident which saw medical data belonging to 500,000 participants listed for sale on a website in China.

Datasets containing de-identified information about its volunteers made available to researchers at three academic institutions were found to have been posted for sale on Alibaba last week, the government said on Thursday.

It said the listings were "swiftly" removed before any purchase took place but the charity is now facing scrutiny over how the incident occurred.

Sir Rory told the BBC he was "angry" and "upset" about it, and the institutions concerned had been banned from its platform.

He added the organisation was "essentially putting science on hold" by temporarily suspending all access to its online research platform while it put additional controls in place "to prevent anything like this happening again".

The Biobank is a collection of health data offered by UK volunteers which has been used to help improvements in detection and treatment of dementia, some cancers and Parkinson's.

Its online research platform allows scientists at approved academic institutions around the world to access its datasets - which include de-identified medical information about participants - for their own research.

"In this case, a few bad apples have taken those data off the platform and they have listed the data for sale," Sir Rory told the BBC Radio 4's Today programme.

"By working swiftly with the UK government and the Chinese government, and we're really grateful for their help, we have been able to get those listings removed before any data were sold."

Identification concerns

Technology minister Ian Murray told MPs in the House of Commons on Thursday the data involved in the incident did not include participant's names, addresses, contact details or telephone numbers.

However he said it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.

Biobank has collected intimate details - including whole body scans, DNA sequences and their medical records - from hundreds of thousands of volunteers for over two decades.

Participants were aged from 40 to 69 when they were recruited between 2006 and 2010.

Getty Images

When asked if Biobank participants could potentially be identified through sharing of its datasets, Sir Rory told Today it was "impossible" to entirely rule out that people could be identified by using its de-identified data and other information.

But he said there was no evidence to suggest this had taken place.

The organisation referred itself to the UK's data watchdog, the Information Commissioner's Office (ICO).

An ICO spokesperson said in a statement on Thursday it had been informed of the incident and was making enquiries.

"People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law," they said.

Jon Baines, senior data protection specialist at law firm Mishcon de Reya, said the regulator would likely be seeking to confirm volunteer information was truly de-identified and, as such, does not constitute personal data under UK law.

Meanwhile, the organisation said there would also be a "comprehensive and forensic board-led investigation of this incident".

Sir Rory acknowledged "we can always do more" to prevent potential misuse, but said it had to balance making data available for scientific discovery and protecting it.

"UK Biobank has allowed discoveries to be made that otherwise would never have emerged about how to prevent and treat diseases like dementia," he told Today.

"The balance then is how do you put in place safeguards to allow that to go on, while doing it in a secure way."