48 staff at Aintree Hospital in Liverpool improperly viewed the records of three Southport knife-attack victims in the days after the July 2024 stabbings, University Hospitals of Liverpool Group said.
The trust called the breach "inexcusable" and said an audit uncovered it in 2024, but the patients were not told for almost two years because managers said clinical advice warned disclosure could worsen psychological harm.
Leanne Lucas, the dance teacher stabbed five times in the attack, said she learned of the breach only on Thursday and accused senior management of a cover-up; the trust denied that allegation.
No staff were dismissed: disciplinary action ranged from informal counselling to a final written warning, while the Information Commissioner's Office said it is not opening a criminal investigation at this time.
The breach has drawn criticism from lawyers and MPs, who said the scale of unauthorized access undermines confidence in NHS confidentiality and raises questions about accountability in high-profile cases.
48 staff breached patient privacy, yet none were fired. What does this reveal about accountability in the NHS?
The NHS promised better data security through digitization. Why did it fail so catastrophically at Aintree Hospital?