Hospital accused of ‘cover-up’ as 48 staff caught ‘snooping’ on Southport stabbing victims’ records
Dance teacher Leanne Lucas, who was one of the victims and has waived her right to anonymity, said she was devastated by the breach
Fury has erupted after it has emerged that 48 staff at Liverpool hospital trust inappropriately accessed the records of Southport stabbing victims.
Listen to this article
Dance teacher Leanne Lucas, who survived the attack and was one of the patients whose records were inappropriately accessed, said: “I am absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable."
Ms Lucas, who has waived the right to anonymity added: "Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma.
"The decision to keep this from me for almost two years is a new low. I am speaking out as I want this scandal and the attempted cover-up by senior management exposed for what it is.”
Read More: Kemi Badenoch calls for parents of Southport killer to be deported
The HSJ reports that a “standard” information access audit carried out by the University Hospitals of Liverpool Group the days after the incident revealed that 48 staff accessed their victims records without a good reason but this information was not given to the patients involved until this week.
The existence of the Liverpool trust’s internal investigation was only disclosed in a report written for a private board this month. Patients and their families have now been informed of the breach.
Nicola Brook, Legal Director at Broudie Jackson Canter, who represented three of the survivors including Ms Lucas at the Southport Inquiry, said: “This is a truly unbelievable breach of privacy for victims of one of the most horrific attacks this country has ever seen.
"This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims’ records.
"That speaks to a culture, and one that will only change if there are real consequences for those responsible. For the trust to then try to hide that it happened is appalling.
"The trust has many questions to answer, and we will be ensuring our clients get those answers as soon as possible.”
The trust denies any attempt at a cover-up. It is understood that the board had originally planned to tell those involved about the breach but its leadership changed their mind sometime in 2025, after trust directors decided that informing the patients would not be in their best interests, as it risked retraumatising them.
The internal Liverpool Hospitals report seen by HSJ said 64 cases of access, which raised suspicions, had been identified by the audit.
Four of the staff involved left the trust before the investigation while 12 were found to have had legitimate reasons for accessing the records.
The remaining 48 have faced a range of disciplinary action from “informal counselling to a final written warning”, though none have been dismissed.
UHLG chief executive James Sumner formally apologised to the victims.
He said: “We are sincerely sorry for any distress that may have been caused to the patients that were under our care and who trusted us to look after them when they were most vulnerable.
“Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life-changing events. Staff who were found to access patient records were subject to HR disciplinary processes."
He said the trust had notified the relevant regulators and professional bodies, including the Information Commissioner’s Office, and “were fully transparent about any findings and actions taken”.
Mr Sumner added: “Learning from the incident has led to the introduction of a digital solution which reduces inappropriate access to patient records of this nature.”
The trust reported the incident to the ICO in August 2024, “in line with standard practice”.
The ICO confirmed the trust had informed them about the breaches, but it had not opted to carry out its own independent investigation.
It said: “In any circumstance, we always reserve the right to launch our own investigation, based on our assessment of criminality or if new information comes to light.”
The watchdog said it was “satisfied” no staff had broken data protection laws relating to unlawfully obtaining personal data.
Three young girls – Elsie Dot Stancombe, seven, Alice da Silva Aguiar, nine, and Bebe King, six, – were killed in the attack on the Taylor Swift-themed dance party July 29 2024, while 10 others were injured.
Axel Rudakubana was jailed for life for their murders last year.
Last year staff at Nottingham University Hospitals Trust inappropriately accessed the care records of the victims of the attack by Valdo Calocane.
Their families said that the revelations were “sickening” and “gross invasions of privacy and civil liberty”.