The UK government confirmed Thursday that de-identified health data from 500,000 UK Biobank volunteers was listed for sale on Alibaba's e-commerce platforms in China.

Technology Minister Ian Murray made the disclosure during a statement to the House of Commons. He said UK Biobank notified the government on April 20 that three listings offering the data had appeared online. At least one dataset included information from all 500,000 participants recruited between 2006 and 2010, when they were aged 40 to 69.

The data, which covers medical records, genetic information, lifestyle details, and biological samples, did not include names, addresses, dates of birth, or NHS numbers. Murray emphasized that no purchases were made before the listings were removed, thanks to cooperation from Alibaba, the Chinese government, and UK Biobank. Access for the three implicated Chinese academic institutions was immediately suspended.

The incident stemmed not from a cyber-attack or leak but from a legitimate download by approved researchers who breached their contract by attempting to sell the data. UK Biobank Chief Executive Professor Sir Rory Collins apologized to participants in an open letter. "We take the protection of participants’ data extremely seriously and do not tolerate any form of data misuse," he wrote. The charity has paused all access to its research platform for three weeks, imposed file size limits on exports, and launched a board-led forensic investigation. An automated 'airlock' system to check exports is planned by year's end.

Murray described the breach as an "unacceptable abuse of the UK Biobank charity’s data and an abuse of the trust that participants rightly expect." The government has referred the matter to the Information Commissioner’s Office, which is making enquiries. UK Biobank, partly funded by £200 million in taxpayer money, has enabled over 18,000 scientific publications on diseases like cancer, dementia, and Parkinson's.

Opposition figures expressed alarm. Reform UK deputy leader Richard Tice called it a "China data theft scandal," questioning continued access for Chinese researchers despite thousands having used the data safely since 2012. Liberal Democrats technology spokeswoman Victoria Collins termed it a "profound betrayal." Experts warned that even de-identified data carries re-identification risks, potentially eroding public trust in health research.

The government plans new guidance on research data controls and urged organizations to bolster cybersecurity. Murray thanked the Chinese authorities for their rapid response while stressing the need for robust safeguards.