Nottingham University Hospitals NHS Trust has dismissed 11 members of staff after an internal investigation found they had looked at the medical records of three people murdered in the 2023 Nottingham attacks without any clinical reason to do so. Fourteen more employees were given written warnings. The trust has described the breach as a serious violation of patient confidentiality and a clear failure to meet the standards expected of anyone working in the health service.

The records involved belonged to Barnaby Webber, Grace O'Malley-Kumar and Ian Coates, who were killed by Valdo Calocane in June 2023. Investigators found that doctors, nurses and administrative staff had opened the files despite having no role in caring for the three victims. Dr Manjeet Shehmar, the trust's medical director, said accessing patient information without legitimate clinical justification represented a serious violation of professional standards, and that the trust was still working to establish exactly how and when the access had occurred. The inquiry is ongoing, and the trust has indicated that the records of survivors, including Wayne Birkett, Sharon Miller and Marcin Gawronski, are also being examined for similar unauthorised access. Emma Webber, Barnaby's mother, said it was shocking to learn how many staff had faced disciplinary action, and that the families had already endured enough without this additional intrusion into their relatives' private information.

This is not the first occasion on which an NHS organisation has had to confront staff curiosity about records they had no business viewing. In 2023 the Information Commissioner's Office reprimanded NHS Lanarkshire after 26 employees were found sharing patient details, including images and clinical information, through a WhatsApp group over a two year period. The same year, NHS Highland was reprimanded over a breach affecting people linked to HIV services, and an employee at Worcestershire Acute Hospitals NHS Trust was fined after looking through the files of 156 patients outside her own department. Cases like these suggest the problem is less a single failing system than a recurring weakness in how access is monitored once staff already hold the keys to it.

Unauthorised access to patient data breaches the UK GDPR and the Data Protection Act 2018, and can amount to a criminal offence under section 170 of that Act, which covers the unlawful obtaining of personal data. NHS staff are also bound by the Caldicott principles, which restrict access to identifiable information to those with a genuine need to know it. The ICO can issue reprimands, enforcement notices or fines depending on how serious a breach is judged to be. Here, Nottinghamshire Police and professional regulators, including the Nursing and Midwifery Council and the General Medical Council, have also become involved, and the licences of some clinicians are understood to be under review.

The trust has apologised to the families affected and says it has no tolerance for staff who look at records without a legitimate reason. Dr Shehmar said he hoped families, staff and the wider community would feel reassured that the matter was being taken seriously. Patient groups have long warned that breaches of this kind damage public confidence, since they ask people to trust that the system caring for them is not also exposing their most private information to colleagues with no need to see it. That trust tends to take far longer to rebuild than the time it took to break.

NUH says it is reviewing its audit systems and will continue to identify any staff who accessed the records without justification, with further disciplinary action possible as the investigation progresses. It has not yet said whether new technical controls will follow. What the case confirms, alongside the reprimands handed to other trusts in recent years, is that writing a confidentiality policy and enforcing it in practice remain two different things. The NHS holds some of the most sensitive data that exists about anyone, and the events at Nottingham are a reminder that protecting it depends as much on the conduct of individual staff as on any system built to watch over them.