Southport victims' medical records illegally accessed by 48 NHS staff members

NHS University Hospitals of Liverpool Group (UHLG) has confirmed that 48 staff members inappropriately accessed the medical records of victims of the July 2024 Southport knife attack. The personal data breach occurred at Aintree Hospital in Liverpool in the days following the incident, which left three children dead and others injured.

The breach, discovered during a routine internal audit, affected three individuals, including an adult teacher and a 13-year-old girl. Although the Information Commissioner's Office (ICO) was notified in August 2024, the victims were only just informed, nearly two years later. One victim condemned the delay as an attempted cover-up by senior management, expressing devastation that her privacy was compromised during a period of extreme vulnerability.

UHLG has apologised for the distress caused but denied a cover-up, stating that the decision to withhold information was based on clinical advice regarding the psychological impact on the patients. The trust confirmed that disciplinary actions were taken against the involved staff, ranging from informal counselling to final written warnings, though no employees were dismissed.

The Department of Health and Social Care (DHSC) labelled the incident completely unacceptable and promised to monitor the situation to prevent future breaches. The ICO stated that it is not launching an investigation at this stage but reminded healthcare providers of their data protection complaints and obligations.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.