Forty-eight NHS staff improperly accessed the medical records of victims of the Southport attack, triggering accusations of a cover‑up from a survivor who was treated at the hospital trust.
‘Devastated and horrified’
Leanne Lucas, who was the instructor at the Taylor Swift‑themed dance workshop targeted by Axel Rudakubana in July 2024, said she was “absolutely devastated and horrified” that her privacy had been invaded “when I was at my most vulnerable”. Ms Lucas, who suffered stab wounds to her spine, head, ribs, lung and shoulder blade while trying to protect the children, has since waived her right to anonymity and become a prominent campaigner against knife crime, launching the “Let’s Be Blunt” campaign for safer kitchen knives. Earlier this month she met the Prince of Wales at a Buckingham Palace garden party.
“Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma,” she said. “The decision to keep this from me for almost two years is a new low. I am speaking out as I want this scandal and the attempted cover up by senior management exposed for what it is.”
Nicola Brook, a legal director at Broudie Jackson Canter – which represents three survivors including Ms Lucas at the ongoing Southport Inquiry – described the breach as “truly unbelievable”. She said: “This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims’ records. That speaks to a culture and one that will only change if there are real consequences for those responsible.”
Audit, delay and the trust’s defence
University Hospitals of Liverpool Group (UHLG) conducted a standard information access audit in the days following the 29 July 2024 attack, which killed three girls – Alice da Silva Aguiar, nine, Bebe King, six, and Elsie Dot Stancombe, seven – and injured ten others. The audit found that 48 staff members had accessed the records of victims without a legitimate reason. The trust reported the incident to the Information Commissioner’s Office (ICO) in August 2024, but the patients involved were not told about the breach until this week – nearly two years later.
James Sumner, the trust’s then chief executive, defended the delay. He said the decision not to inform patients sooner was made after “taking into consideration the potential psychological impact it may have upon them at the time”. Mr Sumner, who announced his departure from UHLG in April 2026 for personal and organisational reasons, insisted the trust had “notified the relevant regulators and professional bodies” and had been “fully transparent about any findings and actions taken”.
He added: “We are sincerely sorry for any distress that may have been caused to the patients that were under our care and who trusted us to look after them when they were most vulnerable. Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life‑changing events.” The trust confirmed that staff found to have accessed records inappropriately were subject to HR disciplinary processes, with penalties ranging from informal counselling to a final written warning. None were dismissed.
The ICO confirmed it had provided support to the trust during its internal investigations and disciplinary processes. An ICO spokesperson said: “People need to trust that their medical information is safe and only available to healthcare staff who need to use it. Anyone inappropriately accessing information in this way may face disciplinary action or even criminal prosecution in some cases.” The regulator added that it did not intend to start a criminal investigation into anyone for breaking data protection law at this time, but said it would “always keep this under review should new information emerge” and described the breach as part of “a wider issue across the health sector”.
Rudakubana was jailed for life with a minimum term of 52 years for the murders of the three girls and the attempted murders of eight other children, who cannot be named for legal reasons, as well as Ms Lucas and businessman John Hayes.
