In June 2023, three people were killed in Nottingham. Barnaby Webber and Grace O'Malley-Kumar, both students, and Ian Coates, a school caretaker, were murdered in an attack that drew national attention. Within Nottingham University Hospitals NHS Trust, that attention translated into something more troubling: staff accessing the victims' medical records without clinical or administrative justification.

An internal investigation, conducted through audits of digital access logs, found that 25 members of staff had viewed those records inappropriately. Eleven were dismissed for gross misconduct. Fourteen received formal written warnings and remained employed. The trust maintains that a further 48 staff accessed the records for legitimate clinical reasons, though that figure is contested by representatives of the victims' families, who have described the overall scale of access as suspiciously high. Emma Webber, mother of Barnaby Webber, publicly expressed her disgust at the number of staff found to have been involved.

Unauthorized access to victims' medical records was also reported at a trust that provides services to those affected by the Southport attacks. This incident was separate from the other event. The trust took internal disciplinary action. What followed has attracted the attention of the Care Quality Commission, which has opened a formal investigation into whether the trust met its statutory duty of candour: the legal obligation, under the Health and Social Care Act, to be open and honest with patients and the public when something goes wrong. The CQC's inquiry centres specifically on the gap between when the breach occurred and when the trust formally acknowledged it, and whether that gap reflects a deliberate withholding of information from victims' families. Those allegations remain under investigation and no findings have been issued.

Taken individually, each case might be attributed to human failing within a single institution. Taken together, they point to something the NHS has not yet adequately addressed. Large hospitals are, by function, places where sensitive data is held at scale. When a high-profile tragedy occurs, the names of victims circulate publicly within hours. Staff who treated those individuals, or who simply recognise their names, retain system access that cannot easily be restricted in real time. Digital audit logs can record who viewed a record and when. They cannot prevent the viewing from happening.

This is a known structural problem. The response to it, in both cases described here, was reactive. Access was logged, reviewed after the fact, and disciplinary processes followed. What was not swift, in either case, was disclosure to the people most entitled to it.

The duty of candour exists precisely because institutions have a demonstrated tendency toward internal resolution before external transparency. It is not discretionary guidance. Failure to comply carries the possibility of criminal prosecution for those in leadership positions. The CQC's investigation into the Southport trust will test whether that statutory requirement has any practical force when applied to an organisation under reputational pressure.

For the families in Nottingham, the disciplinary process has concluded, though the contested figures leave questions unanswered. For the families connected to the Southport attacks, the process is ongoing. In both instances, people who had already experienced the worst possible loss discovered, at some point after the fact, that the hospitals involved could not prevent colleagues from reading the most private details of their relatives' final care.

Whether these cases produce meaningful reform to how NHS trusts protect patient data during periods of acute public interest remains to be seen. The mechanisms for logging and investigating breaches exist. What appears to be less reliable is the willingness of institutions to act on those mechanisms transparently and without delay. Until that changes, the access logs will keep recording, and the families will keep finding out too late.

‍