June 4, 2026

expert reaction to the Oversight Committee report into data security at UK Biobank

Scientists comment on UK Biobank’s Oversight Committee report into data security. 

Professor Luc Rocher, Associate Professor, Oxford Internet Institute, University of Oxford, said:

“UK Biobank data have not only been offered for sale on Alibaba, but have been leaked publicly hundreds of times in the past year. The report describes a grim picture for participants and for the NHS who were assured, from 2006 to 2021, that only anonymised data would be shared. The Guardian demonstrated this year that this assurance does not hold: two data points can be enough to correctly identify a participant in leaked Biobank data. The report acknowledges that around 700 institutions worldwide have yet to confirm that they deleted the data they downloaded. Recovering and tracking those files will be an enormous task, and many have already made their way online. Auditing who has downloaded data and whether it has been deleted will not be possible for data leaked online, for which it is too late already.

“The means to do better already exist. Platforms such as OpenSAFELY go further than the report recommends, by sending researchers’ code to the data rather than the other way around. Investment in environments of this kind, which provide better transparency and traceability, and allow data to remain within the NHS, is the way forward to rebuild public trust in the NHS.”

Matt Westmore, Chief Executive of the Health Research Authority, said:

“I welcome the publication of this report. Being open about what has happened, and about what is being done in response, is essential to rebuilding public trust. 

“Health data underpins major advances in understanding disease, diagnosis, prevention and treatment. This is made possible by the trust of people who volunteer their data. Protecting that trust requires strong safeguards, proportionate oversight and continuous improvement across the system. 

“No use of data, or research in general, is risk-free. We should always seek to minimise risks, but there will always be a trade-off between the risks of harm to people involved and the benefits to us all through new knowledge. Patients and the public must be able to make an informed and free choice about whether to accept that balance. Informed consent, transparency, openness, and a clear commitment to learning when things go wrong are all critical to the social contract between researchers and the public. 

“UK Biobank has a favourable ethics opinion from an NHS Research Ethics Committee appointed by the Health Research Authority. In line with standard conditions of approval UK Biobank informed the REC about the incident which led to the report, which is being investigated in line with our standard procedures.”

Prof Charles Swanton, Chief Investigator of the CRUK TRACERx clinical study to decipher lung cancer evolution and is co-director of the CRUK Lung Cancer Centre of Excellence, said:

Do you welcome the publication of this report, and is it important that it has been made public?

I welcome it unreservedly. The decision to publish the report in full, rather than handle this quietly behind closed doors, reflects the culture of openness that has defined UK Biobank from the outset. Transparency is the basis of participant trust; Six hundred thousand people consented to take part in this resource on the understanding that UK Biobank would act in good faith, including when something goes wrong. By laying out candidly what happened and what must change, UK Biobank has honoured that contract with participants. Publishing the report openly, alongside participant webinars and accessible Q&As, sets a standard that the wider research community should aspire to.

Is this a good and comprehensive investigation?

It absolutely is. The Oversight Committee has not confined itself to the proximate cause but has examined the entire chain including internal escalation, participant communication, the access framework, infrastructure security, the handling of previously downloaded data, and the deeper question of re-identification risk. Many post-incident reviews stop at the immediate failure point, but in this case the team interrogated the entire data ecosystem and is has been honest where performance was not adequate, acknowledging  that participant communication took too long. 

Are the recommendations strong enough, and will they help prevent recurrence?

Yes definitely.  The move to the Research Analysis Platform,  preventing participant-level data being downloaded at all, is the  most important change, because it addresses the structural vulnerability that was built on trust. Bringing data to the researcher rather than sending data to the researcher is a pragmatic structural solution. Their measures minimise the chance of this happening again and the consequence of further breaches.

Why is it important to share patient data with research in the first place?

“Because the UK Biobank is one of only a few powerful datasets we have globally for improving human health. The discoveries UKBB have enabled in cancer, cardiovascular disease, dementia, and far beyond, depend on scale, on linkage to health outcomes, and on the ability of researchers worldwide to interrogate the data. In my own field, large consented cohorts have been indispensable to understanding cancer initiation, identifying who is at risk, and developing the stratified approaches that will hopefully underpin cancer prevention medicine. This would not have been possible without UKBB getting us started. None of that is possible without participants generously sharing their data, and without a trusted custodian enabling responsible access. The benefit flows back to patients and to the public more rapidly than ever before.  In my view (shared by many others outside the UK), UKBB is quite simply the most important global resource for disease mechanism research, the results of which are already leading to the next discoveries which will benefit the patients we and UKBB serves.

Does the report get the balance right between security and enabling good science?

“I really think it does. The temptation after such an incident is to  treat every researcher as a risk, which would throttle the science the resource enables. UK Biobank has avoided this by investing in a secure, well-governed platform that allows analysis to continue within a trusted environment. 

Is there anything missing that you would like to see UK Biobank do?

“Our clinical research studies would benefit from UK Biobank learnings, so that the wider ecosystem benefits and we can modify our own processes accordingly. As next-generation AI models reveal what re-identification is technically possible, I would urge that the proposed re-identification review be treated as a recurring exercise rather than a one-off. None of this detracts from a thorough and commendable response.

Prof Louise Thomas, Professor of Metabolic Imaging, University of Westminster, said:

“The report was excellent and exactly what I would have expected from the UK Biobank. They have been very transparent about what happened and about the entire timeline of events. Although the UK Biobank is taking responsibility for everything, the reality is that researchers at the institutions mentioned have completely breached trust, behaving in the most appalling way. The whole point of the UK Biobank was to create a global treasure trove of data to enable research and to understand health and disease. It has done that in spades; individuals cannot be identified by researchers, and the vast numbers of scientists worldwide using the data are a testament to the quality of the work the UK Biobank does. The appalling, quite frankly, reprehensible behaviour of a few people and the surrounding publicity have tarnished the reputation of one of the greatest achievements of the modern age in the UK. I was also interested to read that other international biobanks are mentioned, so this problem isn’t unique to the UK Biobank. Are the ones mentioned being this proactive in trying to fix the issue?

“The investigation itself was very thorough. I am very shocked by the PI’s response that two of the breaches involved legitimate users’ credentials; in this day and age, does anyone casually share login details? It would be helpful to know what institutional responses have been, given the damage they have caused to trust in the UK Biobank and the scientific community. What are the consequences? What legal action is being taken? Perhaps they should be paying for the implementation of the new data airlock system as a consequence.

“Turning to the recommendations, they are strong, perhaps unnecessarily strong. Surely the many thousands of researchers who use the data honestly and transparently, for the public good, as they have been doing for many years, should not face yet more restrictions. The report notes resistance among imaging researchers to moving their research to the RAP, and I do have a conflict of interest here as an imaging researcher. Those of us who create new ways to analyse and extract data from images have to work with the images directly. Even using a GPU, models can take months to develop and run, the kind of work that isn’t feasible in the RAP. Without this exemption, this work will stop. Security is essential, but it has to be implemented sensibly so that research can continue. They wouldn’t expect pharma companies to analyse plasma samples in the RAP, and many technologies require work to be done outside it. There have to be sensible exceptions in certain cases.

“Patient data is also essential if we are to move science forward for the general public. For instance, if we model certain organs or tissues only in “ordinary” people, the models might not work in people with diseases/extreme phenotypes. Some clinical data is essential for model development; a good example might be measuring muscle volume in someone with a neuromuscular disease.

“The report is balanced, but we need a clearer idea of when the RAP will restart. Everyone is still stuck: PhD students, post‑docs, all development; work has ground to a halt. We don’t yet know how the airlocks will work in practice, and hopefully, they will allow workflows to continue without too much disruption.

“What’s missing from the report, I think, is an acknowledgement that the UK Biobank cannot police the internet. It cannot be held responsible, despite the safeguards it has put in place, for the behaviours of bad actors. It is important that people have a better understanding of what de‑identified data really is, so that they understand that while this was an awful breach of trust, we cannot allow a tiny number of individuals to harm the good that the UK Biobank is doing and will continue to do.”

Professor John Danesh, BHF Professor of Epidemiology and Medicine, Department of Public Health and Primary Care, University of Cambridge; Faculty member, Wellcome Sanger Institute; Access Committee member, UK Biobank, said:

“UK Biobank is a jewel in the crown of UK science — and today’s report from its Oversight Committee is a reminder of both the importance of that resource and the responsibility that comes with it.

“The report is a serious response to an incident earlier this year involving an illegal attempt to breach UK Biobank’s access rules. UK Biobank’s swift action prevented any data from being sold, and no study participants are known to have been re-identified because of that incident.

“The nine recommendations in today’s report focus on strengthening governance, security, and oversight. They reinforce UK Biobank’s existing trajectory towards a secure data environment that brings researchers to the data, rather than the data to the researcher. These are sensible steps.

“There is, however, a need for a clear-sighted, long-term view of the balance between data access and security. UK Biobank is a uniquely powerful resource for medical discovery – one of the most valuable population-scale biomedical datasets in the world – and it is critical to science to help patients. More than 18,000 peer-reviewed scientific papers have already been published using UK Biobank data, contributing to key advances in cancer, heart disease, dementia, diabetes and many other conditions.

“Locking data away is the only sure way to keep it completely safe, but it would also render UK Biobank unable to fulfil its purpose. Unwarranted restriction on responsible access carries a real cost. Those costs can be measured in delayed discoveries and slower progress for patients. The costs are rarely visible, but no less real for that.

“The right response to this incident is not to curtail access to this invaluable resource, but to make that access more secure, more transparent, and more rigorously overseen. The recommendations in today’s report point in the right direction.

“Continued vigilance, strong governance, and transparency will help sustain the public trust placed in UK Biobank by its participants. That trust must be repaid through both the protection of their data and the delivery of the scientific and health benefits that motivated their participation in the first place.”

Professor John Danesh, BHF Professor of Epidemiology and Medicine, Department of Public Health and Primary Care, University of Cambridge; Faculty member, Wellcome Sanger Institute; Access Committee member, UK Biobank, said:

“UK Biobank is a jewel in the crown of UK science — and today’s report from its Oversight Committee is a reminder of both the importance of that resource and the responsibility that comes with it.

“The report is a serious response to an incident earlier this year involving an illegal attempt to breach UK Biobank’s access rules. UK Biobank’s swift action prevented any data from being sold, and no study participants are known to have been re-identified because of that incident.

“The nine recommendations in today’s report focus on strengthening governance, security, and oversight. They reinforce UK Biobank’s existing trajectory towards a secure data environment that brings researchers to the data, rather than the data to the researcher. These are sensible steps.

“There is, however, a need for a clear-sighted, long-term view of the balance between data access and security. UK Biobank is a uniquely powerful resource for medical discovery – one of the most valuable population-scale biomedical datasets in the world – and it is critical to science to help patients. More than 18,000 peer-reviewed scientific papers have already been published using UK Biobank data, contributing to key advances in cancer, heart disease, dementia, diabetes and many other conditions.

“Locking data away is the only sure way to keep it completely safe, but it would also render UK Biobank unable to fulfil its purpose. Unwarranted restriction on responsible access carries a real cost. Those costs can be measured in delayed discoveries and slower progress for patients. The costs are rarely visible, but no less real for that.

“The right response to this incident is not to curtail access to this invaluable resource, but to make that access more secure, more transparent, and more rigorously overseen. The recommendations in today’s report point in the right direction.

“Continued vigilance, strong governance, and transparency will help sustain the public trust placed in UK Biobank by its participants. That trust must be repaid through both the protection of their data and the delivery of the scientific and health benefits that motivated their participation in the first place.”

Professor Ewan Birney CBE FRS FMedSci, Director of EMBL-EBI, said:

“The data breach of UK Biobank data in China last month was a serious concern both for participants and the overall community. It was right that UK Biobank both acted quickly to remove these listings, started the review process leading to the current report and paused all access over this time. This report is independent, thorough and makes some strong recommendations which will further improve the security of UK Biobank data whilst still providing access to responsible and authorised research. UK Biobank is the best cohort in the world, and much of the research on human biology and health is happening in this cohort along with others around the world – this is research that provides huge benefits in our understanding with practical outcomes such as better diagnoses and more effective therapeutics.”

Professor Andrew Morris, Director of Health Data Research UK, said:

“The publication of UK Biobank’s investigation and the decision to make it public is very welcome. The report appears to be commendably open and straightforward in establishing what went wrong. It sets out clear actions UK Biobank will take to improve the security of participants’ data.

“That openness matters: transparency is essential if participant trust is to be earned and maintained after an incident of this kind.

“The report appears to be a thorough and candid investigation into what went wrong, acknowledging both the immediate breach and the wider opportunities to strengthen governance, monitoring, communication and technical controls. Its recommendations are practical and, if implemented in full, should go a long way towards reducing the risk of similar incidents in future — with proposed changes to the output checking system, stronger oversight, faster participant communication, and enhanced security capability.

“In particular, it is good to see recognition that it took too long to contact Biobank participants high in the report’s recommendations. The 500,000 participants who consented to take part in UK Biobank have contributed to remarkable research and deserve to be put first.

“The two recommendations on preventing downloads of data and dealing with data already downloaded are welcome and necessary, and will be significant for Biobank to work through. Checking of outputs leaving a secure data environment is a critical safeguard, and the report states that the Biobank data environment will not re-open for research until such a system is in place.

“It is also important not to lose sight of why health data are used for research in the first place: when handled responsibly, they enable outstanding science that is relevant to health and wellbeing, by powering discoveries that improve prevention, diagnosis and treatment of diseases relevant to people globally. The report strikes the right balance between tightening security and preserving the scientific value of the resource.

“The key test now is delivery. Publication of the report is a positive step, but restoring confidence will depend on visible implementation, independent scrutiny, and continued engagement with participants. The scientific community now has both the responsibility and the opportunity to work in partnership with citizens, collaborate closely, and help deliver the changes needed to strengthen security, demonstrate trustworthiness, and support the highest quality systems that underpin health data research for the public good.”

Anna Steere, Head of Understanding Patient Data, said:

“The Oversight Committee’s report marks an important step in setting out clear actions for UK Biobank to tighten governance, improve oversight and enhance security – all essential to maintaining confidence in the use of health data.

Consented cohort participants make an exceptional contribution to health research in support of the public good, so it is right to recognise that UK Biobank responded quickly and openly, while also showing that systems and safeguards must continue to evolve to meet the highest standards.

As these measures are implemented, UK Biobank will need not only to strengthen protections, but to communicate them clearly to participants and the wider public. Maintaining trust will depend on transparency, accountability and clear evidence that lessons have been learned – not least to avoid any wider impact on public confidence in how health data is used across the NHS.”

https://www.ukbiobank.ac.uk/news/report-into-data-security-at-uk-biobank-published/

Declared interests

Prof Charles Swanton: I am an active user of the UK Biobank resource and therefore have a direct interest in the continued availability of the platform and in the timeline for its reopening. I have published UK Biobank data (Pandya et al., Cell 2026) and am a named inventor on a patent for a plasma protein signature derived in part from the UK Biobank resource. I am a Board member of Novartis and Clinical Director at the Francis Crick Institute.

Prof John Danesh: Professorial Fellow, Jesus College, Cambridge. Faculty Member, Wellcome Sanger Institute. Director, Health Data Research UK-Cambridge.

Ewan Birney is a long established paid consultant to Oxford Nanopore, which is one of the companies that have provided genome sequencing for UK Biobank.

Prof Andrew Morris: Andrew Morris is Director of Health Data Research UK, the national institute for health data science; is Professor of Medicine and Vice Principal at the University of Edinburgh; is President of the Academy of Medical Sciences; has minority (<1.5%) shareholding in Aridhia Informatics; and a small number of shares in GSK (<£5,000).

For all experts, no reply to our request for DOIs was received.