Forty-eight NHS staff accessed the medical records of victims of the Southport attack without any legitimate reason, a hospital trust has admitted – a breach kept hidden from survivors for almost two years.
‘Devastated and horrified’
Leanne Lucas, the instructor of the Taylor Swift-themed dance workshop where Axel Rudakubana carried out the July 2024 massacre, said she was “absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable”. Ms Lucas, who now campaigns against knife crime and has waived her right to anonymity, told the press: “Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma.” She described the decision to keep the breach from her for nearly two years as “a new low” and accused senior management of an “attempted cover up”.
Three girls – Alice da Silva Aguiar, nine, Bebe King, six, and Elsie Dot Stancombe, seven – were murdered by Rudakubana at The Hart Space in Southport. Ten other people were injured, including Ms Lucas and businessman John Hayes. Some of the injured were treated by University Hospitals of Liverpool Group (UHLG).
The audit and its findings
Days after the attack, UHLG conducted a “standard” information access audit that flagged 64 instances of record access that raised suspicion. Of the 60 staff members investigated – four had already left the trust – 12 were found to have had a legitimate reason for viewing the records. The remaining 48 faced internal disciplinary action, which ranged from informal counselling to a final written warning. No member of staff was dismissed. The trust reported the incident to the Information Commissioner’s Office (ICO) in August 2024.
Nicola Brook, a legal director at Broudie Jackson Canter, which represents three survivors including Ms Lucas at the Southport Inquiry, said the scale of the breach pointed to a culture problem. “This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims’ records,” she said. “That speaks to a culture and one that will only change if there are real consequences for those responsible.”
Why victims were not told for nearly two years
The most striking element of the case is the trust’s decision not to inform the patients involved until this week – almost two years after the audit and the report to the ICO. James Sumner, chief executive of UHLG, said the trust had taken the decision after “taking into consideration the potential psychological impact it may have upon them at the time”. He added that the trust’s leadership later changed its mind about informing patients, but the decision to withhold was ultimately upheld because of concerns about retraumatisation.
Ms Lucas rejected that explanation outright. “The decision to keep this from me for almost two years is a new low,” she said. “I am speaking out as I want this scandal and the attempted cover up by senior management exposed for what it is.” Her legal representative, Nicola Brook, echoed the sentiment, calling it “a truly unbelievable breach of privacy for victims of one of the most horrific attacks this country has ever seen”. The trust’s decision meant that victims – already grappling with the physical and psychological aftermath of the attack – were left unaware that their most private medical details had been viewed by colleagues with no clinical need to see them.
An ICO spokesperson confirmed the regulator had been notified in August 2024 and had provided support to the trust during its internal investigations. The ICO stated it was “satisfied” that no staff had broken data protection laws relating to unlawfully obtaining personal data, and does not intend to open a criminal investigation at this time, though it will keep the matter under review. The regulator noted that this is “a wider issue across the health sector that we are working to address”. It follows a similar breach at Nottingham University Hospitals Trust, where staff accessed the records of victims of the Valdo Calocane attack.
Trust’s response and apology
Mr Sumner issued a public apology, saying: “We are sincerely sorry for any distress that may have been caused to the patients that were under our care and who trusted us to look after them when they were most vulnerable.” He described breaches of patient confidentiality as “inexcusable” and said they “undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life-changing events”. He confirmed the trust had notified the relevant regulators and professional bodies and had been “fully transparent about any findings and actions taken”.
Staff found to have inappropriately accessed records were subject to HR disciplinary processes, the trust said. UHLG has also introduced a new digital solution designed to reduce inappropriate access to patient records.
The ICO spokesperson added: “People need to trust that their medical information is safe and only available to healthcare staff who need to use it. Anyone inappropriately accessing information in this way may face disciplinary action or even criminal prosecution in some cases.”