At the end of April 2026, UK Biobank identified that participant data were being offered for sale on a consumer website.
We are sorry this happened and an Oversight Committee has since carried out a full investigation. They have set out both what happened and the actions required to strengthen protection of participant data going forward.
We are fully committed to implementing all of the recommendations in the report to improve our systems and processes.
Recommendations and actions from the report
-
Internal reporting and governance
The governance and reporting of such incidents within UK Biobank have been reviewed. The internal protocols themselves have worked reasonably well but need to go further and faster.
Action: A standing committee of the Board has been established so that appropriate risks/incidents can be brought to their attention as soon as possible and within 24 hours of an incident first being recognised and then prioritised and escalated to the Board as necessary.
-
Communication to participants
It has taken too long to contact the participants.
Action: UK Biobank will seek to obtain the contact details for all its participants and procure an email service and postal service which can email/hard-copy mail all participants on the same day and be on permanent standby.
-
Security review of UK Biobank’s data and systems
Although this was not a factor in the Incident, a number of healthcare organisations have experienced external hacking and other cyber threats from State, quasi-State and non-State actors. The security of UK Biobank’s data storage, use and infrastructure needs to be reviewed and, if necessary, further strengthened (and demonstrated to be properly robust).
Action: An external security review of UK Biobank’s systems and data management will be commissioned immediately.
-
Review of the access procedures and oversight of the access process for researchers to use participant de-identified data
To evaluate the access policy and procedures. Establish where there is reliance on functionality, reporting, policy or legal compliance. Review the legal framework in which UK Biobank operates and the oversight of applications. Review the use of more extensive sanctions on researchers.
Action: Commence forthwith an end-to-end review, with such external assistance as may be required, of the access procedures and related controls, including the effectiveness of any monitoring controls.
-
Establishment of internal proactive cyber and data security capability within UK Biobank
To continually assess and review access, security protocols, and the effectiveness of monitoring in order to identify and mitigate examples of researcher or third-party misuse or revealing the existence of UK Biobank data in public-facing on-line environments. This will need significant input and advice from the external security consultants to establish a state-of-the-art capability.
Action: Set up a robust proactive capability, which will include the establishment of a dedicated security team within UK Biobank.
-
Protocols for dealing with already downloaded data (before and after the introduction of the UK Biobank Research Analysis Platform by default policy)
It is necessary to remove – as far as possible – downloaded datasets in the possession of researchers. This will require confirmation, and audit thereof (which is allowed by the terms of the Material Transfer Agreement), of the deletion of the downloaded data from completed or terminated projects. The latter will involve incentives to move all research projects onto the UK Biobank Research Analysis Platform.
Action: Operate protocols for removing these data rapidly with a risk-based audit of the results.
-
Preventing downloads of data from the UK Biobank Research Analysis Platform
This requires the prevention of any future downloads of participant-level de-identified data from the UK Biobank Research Analysis Platform. The Department of Health and Social Care (DHSC) are soon due to set out guidelines for a Secure Data Environment (SDE) and the UK Biobank Research Analysis Platform will need to meet these requirements when they become available.
Action: Immediate evaluation and implementation of the functionality needed for the planned manual data airlock, in conjunction with a review of the specification for the automated data airlock (which should also include, as soon as available, controls over data ingress ability). Ensure the UK Biobank Research Analysis Platform meets SDE relevant requirements when these are known.
-
Evaluation of the re-identification risk
Although this topic is widely covered in scientific journals, there is a lack of hard evidence and probabilistic rigour, and a wide variety of measures used for assessing and measuring risk.
Action: This issue impacts on all research projects involving consented participant and/or patient data and it is proposed to set up a collaborative review – in conjunction with other research resources – to commission external research into the risk of re-identification and the measures that can deployed to reduce the risk (such as generalisation, differential privacy, randomisation and use of homomorphic encryption). This will need to take into account both current and prospective technology (particularly in the context of next generation AI models).
-
Risk assessment review
This Incident should prompt the Board to review its appetite for risk, focusing in the short term on data exposure or loss.
Action: The Audit and Risk Committee shall refresh the strategic risk description and examine what new controls are needed to give the Board the assurance that the risks are within (or will become within) the proscribed appetite reviewed and agreed by the Board.
Download the report
Questions you may have about the report
Why has this review taken place?
Why has this review taken place?
In April 2026, we discovered that de-identified participant data were being offered for sale on a Chinese consumer website. The listings were removed from the website, and it is believed that the listings identified in this case were not sold. Following this, a comprehensive and forensic investigation was commissioned by the UK Biobank Board to assess how it happened, and what more needs to be done to protect data in the future.
Was any participant data sold?
Was any participant data sold?
The listings were removed and it is believed that the listings identified in this case were not sold.
What does the term ‘de-identified participant data’ mean?
What does the term ‘de-identified participant data’ mean?
Information that could be used to identify a participant, such as a participant’s name, address, date of birth and NHS number, are stored separately from the data made available to researchers and are never provided to researchers. All participant data used by researchers have been de-identified in this way.
What action did you take against the researchers who did this?
What action did you take against the researchers who did this?
Downloading data from our platform, and offering it for sale, are both clear breaches of UK Biobank policy. In this case we have identified the research projects associated with the impacted data and the individuals and the academic institutions responsible have been banned.
Who conducted the review and developed the report?
Who conducted the review and developed the report?
The Oversight Committee that conducted the review consisted of three members of UK Biobank’s Board of Trustees, two external members of our Information Governance Committee, and an independent cyber security expert. It was supported by the Secretary and Legal Counsel to the Board.
Did participants feed into the review?
Did participants feed into the review?
Members of our Participant Advisory Group spoke to the Oversight Committee as part of their investigation, which gave the Board the opportunity to hear about the impact on some participants first-hand. Our Participant Advisory Group has also met three times over the past few weeks to share advice with us on next steps.
What were the main findings of the review?
What were the main findings of the review?
The Committee has made nine recommendations, set out in the report. The recommendations cover topics including internal governance procedures, communication to participants, and access procedures for researchers. Read the recommendations and actions.
Is UK Biobank implementing all the report’s recommendations?
Is UK Biobank implementing all the report’s recommendations?
Yes. We are fully committed to implementing all of the Committee’s recommendations to improve our systems and processes. This work is already underway.
When will UK Biobank’s Research Analysis Platform (UKB-RAP) be reopened for researchers?
When will UK Biobank’s Research Analysis Platform (UKB-RAP) be reopened for researchers?
UK Biobank will provide access to our platform as soon as we can do so securely.
Based on the recommendations, UK Biobank is now developing an implementation plan, intending to provide researchers later in June with a timeline for resuming access to the platforms.
Will the report have an impact on the future of UK Biobank’s contribution to scientific research?
Will the report have an impact on the future of UK Biobank’s contribution to scientific research?
Ensuring participants’ personal information is safe and the data are used correctly is our number one priority. We are putting in place additional security measures to prevent this happening again and while we do this it is necessary to suspend all researchers’ access to the UK Biobank Research Analysis Platform.
Pausing all access to the UK Biobank Research Access Platform will regrettably impact researchers around the world and put their projects on hold. We are truly sorry for the impact this will have on their important work, and intend to allow them to resume access as soon as we can do so securely.
We are determined to do everything we can to restore trust and confidence so that UK Biobank can continue to enable vital health research that is already leading to improvements in the prevention and treatment of disease.
How will you stop this from happening again?
How will you stop this from happening again?
We will be fully implementing all of the report’s recommendations to improve our systems and processes, and to mitigate against any future data breaches.
What steps is UK Biobank taking before releasing newly linked health outcome data (e.g. GP data) to researchers?
What steps is UK Biobank taking before releasing newly linked health outcome data (e.g. GP data) to researchers?
No new linked health outcome data (including GP data) will be made available to researchers until we have implemented the security measures recommended by the Board-led review, as agreed with the data providers. The security measures include developing a robust output checking system, which will prevent de-identified participant data from being taken off the platform, while still enabling the research of the tens of thousands of scientists who use UK Biobank.
Participant webinars
Are you a participant who wants to learn more about what the data security report means for you?
Join us at an upcoming webinar to hear more about what happened, the actions that have already been taken, and our commitment to implementing all recommendations in full.
Learn more about how we protect the data
We made an important commitment to our participants when they joined the study. Find out how we uphold this commitment.
Join UK Biobank for a webinar on 17 June or 25 June to learn about actions to strengthen protection of participant data going forward.