Info Gov

North West Ambulance Service is formally investigating whether staff “inappropriately” accessed the medical records of Southport attack victims.

The service confirmed it had identified concerns about potential inappropriate access to patient records, prompting a formal investigation.

It comes after it emerged in May that a number of workers at Aintree Hospital, where some of the injured victims were treated, had looked at the records with no good reason.

Three young girls were murdered in the attack, while 10 others were physically injured.

Lawyers representing one of the girls said a recent string of patient data breaches has highlighted “a deep-rooted culture of snooping within the NHS”.

In May, Nottingham University Hospitals NHS Trust said 11 members of staff had been dismissed and a further 14 had actions taken against them for inappropriately accessing medical records of the Nottingham stabbing victims.

Nicola Ryan-Donnelly, Associate Solicitor at Fletchers Solicitors said: “People who are seriously injured or dying should not have the added worry that they are being pried on, as they are rushed into hospital fighting for their lives. We want to see a full review by NHS England of the current policy governing all NHS staff on inappropriate patient data breaches.”

She added: “NHS staff who accessed the records of the Nottingham attack victims were dismissed from their roles; but only after an inquiry and public outrage scrutinised the actions of Trust bosses. At Aintree Hospital, only five members of staff were given a final written warning after accessing the records of a young girl stabbed multiple times in the Southport attack. Because of their delays in telling the victims of the breach, several staff members had moved on from their job before they were ever sanctioned. This is not good enough. The behaviour by these NHS workers is staggering and deserves more than a slap on the wrist.”

North West Ambulance Service said it has notified the Information Commissioner’s Office (ICO) of its investigation, which last month issued a direct public warning to NHS and healthcare leaders that unauthorised access to patient records is a criminal matter, not a disciplinary one, and that curiosity is not a lawful basis for viewing records.

Writing in a blog published on 22 June 2026, ICO Chief Executive Paul Arnold described the issue as primarily a "cultural failing" and called on senior healthcare leaders to take proactive steps to prevent breaches before they occur, rather than manage the consequences after the fact.

An ICO spokesperson said: “People need to trust that their medical information is safe and only available to healthcare staff who need to use it. When medical records are accessed without a legitimate reason, this can be deeply concerning for patients and their families.

“North West Ambulance Service has made us aware of their internal investigation into cases of potential inappropriate access to medical records by staff. As this is ongoing, we will assess any evidence provided in due course and consider our next steps, including whether any criminal investigations need to be opened for breaking data protection law.

"This is a wider issue across the health sector that we are supporting organisations to address. We are working closely with the National Data Guardian and NHS England, and we continue to remind all organisations about the importance of keeping patient data secure.”

North West Ambulance Service Chief Executive, Salman Desai, said: “We will contact families and patients who may have been affected as our enquiries progress.

“Any inappropriate access to patient information will be treated extremely seriously. We are deeply sorry for the concern and distress this may cause.”

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…
Jun 24, 2026

ICO EdTech audit finds widespread compliance failures in children's data handling

A programme of consensual audits carried out by the Information Commissioner's Office has identified systemic data protection failings across the UK education technology sector, with nearly 70 per cent of providers found to be acting as controllers over children's personal data without recognising or fulfilling that role.

InfoGov Masthead Newsletter 800