NHS staff accessed Southport victims’ records ‘inappropriately’, hospital trust admits

NHS Staff Accessed Southport Victims’ Records ‘Inappropriately’

NHS staff accessed Southport victims records – The NHS University Hospitals of Liverpool Group (UHLG) has acknowledged that nearly 50 employees accessed the medical records of Southport victims in an improper manner. This revelation followed a delayed disclosure, as the breach was uncovered during an internal audit conducted shortly after the July 2024 knife attack. The hospital trust admitted to the lapse, though no staff member has been formally reprimanded, with only written warnings issued.

Privacy Breach at Southport Hospital

Three individuals, including a 13-year-old girl participating in a Taylor Swift-themed dance class at the time of the attack, had their privacy compromised. Leanne Lucas, a survivor with five stab wounds, shared her frustration with the breach, describing it as a “shocking and disheartening” violation of her personal space. The trust called the access “inexcusable,” but stopped short of taking more severe disciplinary measures.

“I am heartbroken that my medical details were viewed by 48 staff members who weren’t involved in my care,” Lucas said. “It was personal curiosity that led to this intrusion, and the fact that I only learned about it from the news is deeply upsetting.”

Lucas discovered the breach on Thursday when a hospital official brought it to her attention, following a journalist’s inquiry. She criticized the two-year delay in informing her, stating, “It’s disgraceful that the Information Commissioner’s Office was alerted in August 2024, yet I found out only because I was about to read about it in the press.”

Internal Review Highlights Systemic Issues

The breach was identified during a routine audit of data access, which the trust claimed was a standard procedure. However, the audit revealed that nearly 50 staff members reviewed victims’ files without proper authorization, raising concerns about internal oversight. The trust has not disclosed the identities of those involved, leaving questions about accountability and control within the organization.

Solicitor Nicola Ryan-Donnelly, representing the teenage girl affected, called the incident a “deeply disturbing abuse of power.” She emphasized that the girl, now entering adulthood, is capable of understanding the breach’s impact. “Staff accessed her records for personal interest, not to assist her recovery,” she noted, highlighting a potential systemic failure in data handling.

Responses from Leadership and Critics

James Sumner, UHLG’s chief executive, defended the trust’s actions, stating that patients were not immediately informed based on clinical recommendations. “We aimed to protect survivors’ emotional well-being during a time of trauma,” he explained. The trust also noted it promptly notified regulators and professional bodies about the incident.

Despite these justifications, critics argue the delay was excessive. Nicola Brook from Broudie Jackson Canter, representing adult survivors, said, “The trust’s attempt to conceal the breach reflects a culture that values convenience over privacy.” She called for stronger accountability, stressing that “without real consequences, this behavior will likely continue.”

Meanwhile, the Information Commissioner’s Office (ICO) stated it is not currently pursuing criminal charges but reiterated its commitment to safeguarding patient data. “Organizations must ensure sensitive information is protected, especially after events like the Southport attack,” the ICO added, underscoring the importance of transparency in healthcare settings.

Ongoing Scrutiny and Public Concern

As the investigation continues, public and political attention remains focused on the trust’s transparency. Labour MP Patrick Hurley expressed alarm, stating, “The access of confidential records without valid reason is profoundly troubling.” He argued that survivors and families deserved immediate clarity during their recovery, not delayed disclosure.

Community reactions have been mixed, with some urging the trust to take stronger action against the staff involved. Others remain skeptical, questioning whether the breach was an isolated incident or part of a broader pattern of negligence. With no dismissals yet, the case highlights the need for clearer protocols to prevent such lapses in the future.