Hospital staff have faced criticism for inappropriately accessing the medical records of individuals affected by the Southport attack. The incident, which occurred at a Taylor Swift-themed dance event on July 29, 2024, resulted in the tragic deaths of Bebe King, Elsie Dot Stancombe, and Alice da Silva Aguiar, with several others sustaining serious injuries due to an attack by Axel Rudakubana.
Following the attack, some of the injured individuals received treatment at University Hospitals of Liverpool Group. An internal audit conducted by the trust shortly after the incident uncovered that 48 staff members had accessed their records without valid reasons. However, the affected patients were not informed of this breach until recently.
One survivor of the attack, Leanne Lucas, who was among the patients whose records were inappropriately accessed, expressed dismay at the lack of transparency, referring to it as an attempted cover-up. She emphasized the breach of privacy and trust, condemning the staff members who accessed the files of vulnerable victims without authorization.
The hospital trust refuted claims of a cover-up, stating that they had initially planned to inform the affected individuals about the breach. However, a change in leadership decision in 2025 led to a determination that informing the patients could potentially retraumatize them, hence the delay in disclosure.
Legal Director Nicola Brook, representing survivors at the Southport Inquiry, denounced the privacy breach as an egregious violation, highlighting the need for accountability and consequences for those involved. The trust’s handling of the situation was criticized for attempting to conceal the breach.
The unauthorized access to the care records of Southport victims mirrors a previous incident at Nottingham University Hospitals Trust. In both cases, families and survivors expressed outrage at the invasion of privacy and called for accountability.
Following the audit, 64 suspicious access cases were identified, with disciplinary actions ranging from informal counseling to written warnings imposed on the 48 staff members involved. The hospital’s chief executive issued a formal apology to the victims, acknowledging the breach of patient confidentiality and emphasizing the importance of upholding privacy standards.
The trust informed relevant regulatory bodies and implemented digital solutions to prevent future unauthorized access to patient records. While the ICO was notified of the breach and confirmed no data protection laws were broken, it retains the right to investigate further if warranted by new information.
