An NHS trust in England has dismissed 11 staff members after an investigation found they had illegally accessed the confidential medical records of victims involved in the deadly Nottingham attacks, in a scandal that has intensified scrutiny over patient privacy and data protection across the UK healthcare system.
Nottingham University Hospitals NHS Trust confirmed that disciplinary action had been taken against multiple employees following allegations that medical files connected to the June 2023 attacks were viewed without lawful or professional justification.
The investigation relates to the case of Valdo Calocane, who killed university students Barnaby Webber and Grace O’Malley-Kumar, both aged 19, along with school caretaker Ian Coates, during a series of attacks in Nottingham in June 2023.
The trust said a further 14 staff members received formal written warnings but were allowed to remain in their jobs. The disciplinary measures followed months of internal investigations into the unauthorised viewing of confidential patient information linked to the victims and survivors of the attacks.
NHS Investigation Reveals Scale of Medical Record Breaches
The scandal has triggered outrage among victims’ families, who say the extent of misconduct inside the hospital system is far greater than initially acknowledged.
According to the trust, around 150 members of staff accessed records connected to the victims. However, hospital officials argued that 48 of those cases involved legitimate clinical or administrative reasons.
Families of the victims strongly dispute that assessment.
Emma Webber condemned what she described as “appalling failures” by NHS employees entrusted with sensitive medical information.
She said the number of staff deemed to have had legitimate reasons for viewing the files was “far too high” and confirmed the families were formally challenging the trust’s conclusions.
The dismissed employees reportedly included nurses, administrators and other registered healthcare professionals. It is understood that most of the staff dismissed were nurses, while none were doctors.
The trust has not publicly identified the individuals involved.
NHS Trust Apologises to Victims’ Families
Dr Manjeet Shehmar issued a public apology to the families affected by the data breach scandal.
In a statement, Shehmar acknowledged that the victims’ relatives had already suffered immense trauma from the attacks and said the inappropriate access to records had caused further distress.
She stressed that patient information could only be accessed when directly relevant to a staff member’s professional duties.
Shehmar said the trust was committed to identifying all instances where records were accessed unlawfully and insisted the disciplinary action demonstrated that such conduct would not be tolerated.
The trust also confirmed that the case had been reported to the Information Commissioner’s Office and Nottinghamshire Police.
Additional referrals may also be made to professional regulators including the General Medical Council and the Nursing and Midwifery Council, both of which have powers to strike healthcare professionals off their registers.
Privacy Concerns Grow Across NHS England
The case has renewed wider concerns about patient confidentiality and digital access controls within NHS hospitals.
Healthcare privacy experts have repeatedly warned that large electronic medical systems can be vulnerable to misuse if internal monitoring systems are not strict enough.
The Nottingham scandal is one of the largest known cases involving alleged unauthorised access to sensitive NHS patient records in recent years.
Medical records in the UK contain highly confidential details including treatments, injuries, mental health information and personal contact data. NHS rules require staff to access records only when directly involved in patient care or authorised administrative duties.
The General Medical Council said accessing records without legitimate need represented a serious breach of professional guidance.
Healthcare unions and privacy campaigners have also warned that public trust in the NHS depends heavily on strict protection of confidential medical information.
Families Continue to Demand Accountability
The families of the victims say the scandal has deepened their suffering following the Nottingham attacks.
Emma Webber said the families remained unconvinced by the trust’s explanation that dozens of staff had legitimate reasons to access the files.
She said the relatives intended to continue scrutinising the trust’s findings and expected the number of disciplinary cases to increase as investigations progressed.
“It’s heartbreaking that on top of our tragic loss, we’ve also had to face such appalling additional failures by members of staff who should know better,” she said.
Webber also urged healthcare workers involved to consider how they would feel if their own family members’ confidential medical information had been accessed improperly.
Further Investigations Still Ongoing
The trust confirmed investigations were continuing into additional allegations involving the records of surviving victims, including Wayne Birkett, Sharon Miller and Marcin Gawronski.
The inquiry into the Nottingham attacks is also continuing and will examine events leading up to the killings, including mental health treatment decisions involving Calocane.
Calocane was given an indefinite hospital order in January 2024 after admitting manslaughter by diminished responsibility and attempted murder.
The sentencing sparked major public and political controversy, with victims’ families criticising prosecutors and mental health services over how the case was handled.
Political Reaction to Nottingham NHS Data Breach
Nadia Whittome condemned the unauthorised access to medical records and called for stronger safeguards to protect patient confidentiality.
She described the actions as “cruel” and “selfish”, adding that the misuse of private information showed disregard for both the victims and their loved ones.
Whittome said NHS organisations must ensure all staff clearly understood that accessing patient records without lawful justification represented a serious professional violation.
The case has intensified pressure on NHS trusts across Britain to review staff access procedures, monitoring systems and cybersecurity safeguards surrounding electronic patient records.
Growing Focus on NHS Data Security
The scandal comes as NHS organisations increasingly rely on digital healthcare systems and electronic patient records across hospitals and clinics.
Healthcare regulators have repeatedly warned that stronger internal controls are needed to prevent inappropriate access to sensitive data.
Experts say even when records are not leaked publicly, unlawful viewing of confidential files can seriously undermine patient trust in healthcare providers.
The Nottingham case is expected to become a major reference point in future NHS discussions around data protection, staff accountability and patient privacy standards.