UK Biobank health data keeps ending up on GitHub

UK Biobank is leveraging copyright takedown notices to remove sensitive health data leaked on GitHub, as the UK lacks rapid legal mechanisms for privacy breaches. Investigations reveal a steady stream of genetic and phenotypic data being inadvertently exposed by researchers worldwide.
What is UK Biobank trying to take down
UK Biobank uses copyright takedown notices, a mechanism often associated with removing pirated software and stolen code, to remove health data from GitHub. The UK has no equivalent of DMCA for privacy breaches that would compel a platform to act so quickly.
Looking at the takedown notices, we often see specific files being targeted rather than entire repositories—possibly to justify the copyright infringement as required for a takedown notice. Nearly half are Jupyter or R notebooks, which can contain a few rows of data. A quarter are genetic and genomic data files (PLINK, BOLT-LMM, BGEN) that directly encode participant genotypes or association results. Tabular datasets (CSV, TSV, Excel, and serialised R objects) account for another large share and could contain phenotype or health records. The remainder includes analysis scripts, documentation, and compressed archives.
Timeline of takedown notices
The first takedown notice was filed in July 2025. Since then, the pace has been steady, with a total of 110 requests to GitHub. Interestingly, the requests stopped in January, February, and most of March 2026. It's hard to believe that no researcher has mistakenly uploaded UK Biobank data during these months. The notices restarted end of March, just after the Guardian's investigations revealed the ongoing data exposure and the ineffectiveness of takedowns.
Where in the world
Developers targeted by UK Biobank's takedown notices are based in at least 14 countries. The true number is likely higher: of the 170 developers identified in the notices, only 75 list a location on their GitHub profile. Most appear to be from United States and China.
- 24 United States
- 21 China
- 7 United Kingdom
- 5 Germany
- 4 Hong Kong
- 4 Australia
- 3 Spain
- 1 South Korea
- 1 Greece
- 1 Qatar
- 1 United Arab Emirates
- 1 Switzerland
- 1 India
- 1 Netherlands
Methodology
To build this webpage, I used data from the github/dmca repository, where GitHub publishes the full text of every DMCA takedown notice it receives. When a rights holder asks GitHub to remove content that infringes their copyright, the notice is posted publicly as a Markdown file in this repository. According to The Guardian, UK Biobank has used this process to request the removal of files or repositories that contain (or that it believes contain) participant data covered by its data access agreements.
To identify UK Biobank-related notices, I match filenames containing the slug "uk-biobank". I also search the full text of every other notice file for the phrases "UK Biobank" or "UKBiobank". From each matching notice, I extract the filing date and all GitHub repository URLs mentioned in the notice body.
For each unique GitHub username found in the notices, I query the GitHub REST API to retrieve the user's public profile, specifically the self-reported location field. I derive countries from the raw location strings by hand. When a user's GitHub profile does not include a location, I also determine their country by inspecting their GitHub profile and associated email address domains.
The data is regularly refreshed by re-running the collection script against the latest state of the github/dmca repository. This page reports only what is visible in the public DMCA notices filed by UK Biobank.
Further reading
The exposure of Biobank data on GitHub is the latest in a series of governance challenges for UK Biobank. Investigations by The Guardian revealed that UK Biobank participant data had been uploaded to public GitHub repositories by researchers sharing their code. With a volunteer's consent, journalists successfully matched their record in an exposed dataset using only their month and year of birth and the date of a single major surgery. Other concerns include access by insurance companies and overseas entities, raising questions about the balance between data sharing for research and participant privacy.
Source: Hacker News















