Health data from UK Biobank exposed online

The new investigation found that confidential health data from the UK Biobank project has been mistakenly posted online on multiple occasions. The situation involves researchers who received approved access to the data but allegedly shared the information online mistakenly.

The investigation uncovered two datasets which contained hospital diagnosis information and medical records for more than 600,000 study participants. The incidents involve the UK Biobank, a major medical research database holding health records of about 500,000 volunteers in the United Kingdom.

UK Biobank leaked database

The UK Biobank database includes genetic material and imaging data and blood specimens and personal behaviour data which researchers use to investigate diseases including cancer and dementia and diabetes. Scientists throughout the world can submit requests for dataset access to conduct research.

The researchers who investigated this matter uploaded confidential information to GitHub which they had mistakenly left unprotected. The uploaded files contained complete hospital diagnosis documents together with personal details which included gender and birth month and year.

The data expert who examined the file found the experience to be terrifying. The expert described how medical information in the dataset made him feel because he found the dataset to be terrifying.

Privacy experts express concerns about patient record identification because the datasets lack names and addresses. The combination of birth dates with medical procedure details enables identification of participants through online information cross-referencing.

The University of the West of England's Professor of Economics Felix Ritchie said expecting volunteers to never share personal information online is unrealistic. Oxford Internet Institute Associate Professor Luc Rocher added that even limited data can reveal sensitive health details if records are linked correctly.

The UK Biobank reports that it has not found any instances where participants were directly identified. The Biobank Chief Executive Professor Sir Rory Collins, explained that the organisation provides researchers with data which does not contain any identifying information about individuals.

The organisation has implemented measures to solve the issue by submitting legal requests for file removal from GitHub and providing additional training to researchers who manage medical research data. The organisation issued approximately 80 takedown notices during the period between July and December 2025.