Forty-eight members of staff at a major NHS trust accessed the medical records of Southport attack survivors without legitimate clinical reason. The patients whose files were viewed were not told for nearly two years.

On 29 July 2024, a mass stabbing at a children's dance class in Southport killed three young girls: Elsie Dot Stancombe, Alice da Silva Aguiar, and Bebe King. Ten others were injured. The perpetrator was sentenced to life imprisonment. Several of the survivors received treatment at University Hospitals of Liverpool Group.

In the days following the attack, the trust conducted a standard information access audit. It identified 64 cases of suspicious record access. Twelve of those were later found to have had legitimate clinical justification. The remaining 48 did not. Disciplinary action was taken against those staff members, ranging from informal counselling to final written warnings. None were dismissed.

The trust's board had initially planned to inform the affected patients of the breach. At some point in 2025, that decision was reversed. Senior leadership concluded that notifying patients risked retraumatising them. The patients were only informed this week.

Leanne Lucas, a survivor who was among those whose records were accessed, waived her right to anonymity to speak publicly about the breach. "I am absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable," she said. "48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma. The decision to keep this from me for almost two years is a new low."

Nicola Brook, Legal Director at Broudie Jackson Canter, represents three survivors at the Southport Inquiry, including Ms Lucas. She rejected the trust's framing of the breach as a matter of individual misconduct. "This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims' records. That speaks to a culture, and one that will only change if there are real consequences for those responsible." She added that the decision to withhold the information from patients was "appalling" and that her firm would be pressing the trust for answers.

James Sumner, Chief Executive of University Hospitals of Liverpool Group, issued a formal apology. "Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life-changing events," he said. The trust notified the Information Commissioner's Office in August 2024, and Mr Sumner said it had been fully transparent with regulators. He confirmed that a new digital system had since been introduced to reduce the likelihood of similar breaches occurring.

The ICO confirmed it had been in contact with the trust since August 2024 and had received regular updates. It said it was satisfied that no staff had been referred in connection with criminal breaches of data protection law, though it reserved the right to launch its own investigation should new information emerge.

This is not an isolated case. Last year, staff at Nottingham University Hospitals Trust were found to have accessed the care records of victims of the attack carried out by Valdo Calocane. Families of those victims described the breaches as sickening. Taken together, the two incidents raise serious questions about how NHS trusts handle patient data in the aftermath of high-profile incidents, and whether existing safeguards are sufficient to prevent access by staff with no clinical involvement in a patient's care.