11 NHS staff dismissed over access to Nottingham attack victims’ records

Eleven staff members at Nottingham University Hospitals NHS Trust were dismissed after inappropriately accessing the medical records of Barnaby Webber, Grace O’Malley-Kumar and Ian Coates, in a breach that deepened the trauma around the 2023 Nottingham attacks.

The trust said a further 14 employees had action taken against them, including two first written warnings and 12 final written warnings. Those disciplined included doctors, nurses, registered medical professionals, and administrative and clerical staff, showing the breach stretched across clinical and non-clinical roles rather than a single department.

NUH said the investigations began in early 2025 and families were told the outcomes this week. Dr Manjeet Shehmar, the trust’s medical director, apologised to the families and said access to patient records without a legitimate reason was “totally unacceptable.” The trust said investigations were still ongoing.

The records belonged to three people whose deaths stunned Nottingham and the wider country: Webber and O’Malley-Kumar, both 19-year-old students, and Coates, a 65-year-old school caretaker. They were stabbed to death by Valdo Calocane in June 2023, after he also attempted to kill three other people.

The families first spoke publicly about the alleged access in March 2025, describing it as “distressing and traumatic.” They later called it a “gross invasion of privacy,” as well as “sickening” and “inexcusable voyeurism.” Their concern went beyond one hospital trust. They said that while some staff across agencies would legitimately need to see records, images and data, “dozens, perhaps even hundreds” did not need access.

That wider context has made the case a test of public-sector data governance as much as a hospital discipline matter. Allegations also emerged about access by Nottinghamshire Police, HM Prison and Probation Service and HM Courts and Tribunals Service, adding to questions over how tightly sensitive information about victims is protected once a major criminal case enters the system.

For NUH, the central failure is stark: the victims’ records were not just viewed without cause, they were viewed by people who should have known better. The scale of the sanctions suggests the breach was not an isolated lapse but a serious breakdown in professional trust, record security and oversight inside a public health system already under scrutiny.