Privacy Violation and Disciplinary Response
Nottingham University Hospitals NHS Trust has issued a formal apology after an internal investigation found that staff improperly accessed the medical records of victims of the June 2023 Nottingham attacks. The attacks involved Valdo Calocane, who fatally stabbed three people and seriously injured three others. Trust investigators discovered that employees viewed the records of both deceased and surviving victims without any legitimate clinical or administrative reason.
Breach of Patient Privacy and Disciplinary Actions
The trust moved to discipline 20 staff members for these privacy violations. Eleven employees were dismissed, including four nurses, one other registered professional, and six additional staff. Another nine received final written warnings: four doctors, five nurses, one registered professional, and two other staff. None of those who accessed the records voluntarily came forward; the breaches were only uncovered after the families of the deceased victims alerted the trust. Medical director Manjeet Shehmar acknowledged that initial investigations focused solely on the records of the deceased, and the trust did not consider the three surviving victims until their solicitor contacted the organization in March 2025.
Implications for Healthcare Data Governance
This incident underscores a persistent challenge for healthcare organizations: protecting patient data from insider threats. Despite running awareness campaigns about inappropriate data access for years before these breaches occurred, the trust still faced multiple violations. The fact that a partner of one victim, Elaine Newton, who herself works for the trust, was not contacted about the breaches further highlights gaps in breach notification and transparency. For hospital security teams, this case reinforces the need for robust access controls, automated audit logging, and a culture of accountability. Healthcare CISOs should consider implementing stricter monitoring of access to sensitive records, especially after high profile incidents, and ensure that breach investigation protocols explicitly cover all affected patients including survivors. Failure to do so can erode patient trust and lead to regulatory penalties under data protection laws such as the Data Protection Act 2018.
