NHS trust admits 48 staff accessed Southport victims' records improperly

Forty-eight staff at the University Hospitals of Liverpool Group accessed Southport victims’ medical records without good reason, and the trust did not tell patients and families for nearly two years. An internal audit found 64 suspicious access cases across Aintree, Broadgreen and the Royal Liverpool Hospital, raising fresh questions about how privacy safeguards were enforced inside the health service.

The review, carried out in the days after the 29 July 2024 attack, found that four of the staff involved had already left the trust. Of the remaining 60 cases, 12 were judged to have had legitimate reasons for viewing the records, while 48 were found to have had no good reason. Those 48 staff faced disciplinary action ranging from informal counselling to a final written warning, and none were dismissed.

The trust reported the incident to the Information Commissioner’s Office in August 2024, but patients and families were only told this week. The delay has deepened anger among survivors and their representatives, who say the case is not only about unauthorised access but about a system that failed to notify victims promptly after their most intimate medical information was viewed by staff who had no right to see it.

Leanne Lucas, who organised the dance workshop and was treated for serious injuries, said she was “absolutely devastated and horrified” that her privacy had been invaded when she was at her most vulnerable, and said the decision to keep the breach from her for almost two years was “a new low”. Nicola Brook, legal director at Broudie Jackson Canter and a lawyer for three survivors including Lucas, called it “a truly unbelievable breach of privacy” and said it was “more than a few bad apples”, because 48 staff were involved.

The Southport attack killed Alice da Silva Aguiar, 9, Bebe King, 6, and Elsie Dot Stancombe, 7, and injured 10 other people at a Taylor Swift-themed dance workshop. Axel Rudakubana later admitted murdering the three girls and was jailed for at least 52 years on 23 January 2025. Home Secretary Yvette Cooper said agencies had failed to identify the “terrible risk and danger to others” he posed, after it emerged he had been referred to Prevent three times between December 2019 and April 2021.

The breach lands against the backdrop of the Southport Inquiry, whose Phase 1 report was published on 13 April 2026. Together, the attack, the delayed notification and the internal access failures point to a broader question that now falls squarely on public institutions: whether privacy rules, oversight checks and disciplinary systems are strong enough when victims most need them.