Exclusive: Southport attack victim accuses trust of ‘cover up’ over care records breach

Three young girls – Elsie Dot Stancombe, Alice da Silva Aguiar, and Bebe King – were killed in the attack on 29 July 2024, while 10 others were injured. The perpetrator was jailed for life last year.

Some of the injured were treated at University Hospitals of Liverpool Group. HSJ has learned that a “standard” information access audit carried out by the trust in the days after the incident revealed that 48 staff accessed their records without a good reason. However, this information was not given to the patients involved until this week, following HSJ’s inquiries.

Leanne Lucas survived the Southport attack and was one of UHLG patients whose records were inappropriately accessed.

She told HSJ: “I am absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable.  Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma. The decision to keep this from me for almost two years is a new low. I am speaking out as I want this scandal and the attempted cover-up by senior management exposed for what it is.”

The trust denies any attempt at a cover-up. Its board had originally planned to tell those involved about the breach. However, HSJ understands its leadership changed their mind sometime in 2025, after trust directors decided that informing the patients would not be in their best interests, as it risked retraumatising them.

The existence of the Liverpool trust’s internal investigation was disclosed in a report written for the board’s private meeting this month, which has been seen by HSJ.

The patients and their families have now been informed of the breach. To date, only Ms Lucas has waived her right to anonymity. 

Nicola Brook is a Legal Director at Broudie Jackson Canter, who represent three of the survivors, including Ms Lucas, at the Southport Inquiry. She said: “this is a truly unbelievable breach of privacy for victims of one of the most horrific attacks this country has ever seen. This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims’ records.  

“That speaks to a culture, and one that will only change if there are real consequences for those responsible. For the trust to then try to hide that it happened is appalling. The trust has many questions to answer, and we will be ensuring our clients get those answers as soon as possible.”

Nicola Ryan-Donnelly from Fletchers Solicitors has called the incident “a deeply disturbing abuse of power and a shocking breach of privacy” including of a young girl they represent. 

“It is absolutely shameful that the trust have known about this gross breach since a few days after the attack, yet have sought to keep it from the survivors and their families until almost two years later. Our client, who is now growing into a young woman, is old enough to properly understand what this means; that staff opened her records, not to aid to her recovery but to pry.”

She added: “We have already met with the trust to begin fully investigating this and will now be working to ensure that the trust gives her family the answers they deserve, and that those 48 staff who inappropriately accessed these records face proper accountability.”

The revelations that the care records of the Southport victims had been inappropriately accessed follows a similar incident at Nottingham University Hospitals Trust last year. In this case, staff accessed the care records of the victims of the attack by Valdo Calocane. Their families told the Mirror, which first reported claims of the breaches, that the revelations were “sickening” and “gross invasions of privacy and civil liberty”.

Trust CEO: Breach was ‘inexcusable’

The internal Liverpool Hospitals report seen by HSJ said 64 cases of access, which raised suspicions, had been identified by the audit. Four of the staff involved left the trust before the investigation. Of the remaining 60 staff, 12 were found to have had legitimate reasons for accessing the records.

The remaining 48 have faced a range of disciplinary action from “informal counselling to a final written warning”, though none have been dismissed.

UHLG chief executive James Sumner today issued a formal apology to the victims. He said: “We are sincerely sorry for any distress that may have been caused to the patients that were under our care and who trusted us to look after them when they were most vulnerable.

“Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life-changing events. Staff who were found to access patient records were subject to HR disciplinary processes.”

He said the trust had notified the relevant regulators and professional bodies, including the Information Commissioner’s Office, and “were fully transparent about any findings and actions taken”.

The CEO added: “Learning from the incident has led to the introduction of a digital solution which reduces inappropriate access to patient records of this nature.”

The trust reported the incident to the ICO in August 2024, “in line with standard practice”. The ICO confirmed the trust had informed them about the breaches, but it had not opted to carry out its own independent investigation.

It said: “In any circumstance, we always reserve the right to launch our own investigation, based on our assessment of criminality or if new information comes to light.”

The watchdog said it was “satisfied” no staff had broken data protection laws relating to unlawfully obtaining personal data (See the full ICO statement below).

Updated at 10am on 15th May 2025 to include comment from Fletchers Solicitors