The NHS doesn’t have a data security problem. It has a culture problem.
This week, Cambridge University Hospitals referred itself to the Information Commissioner’s Office after it emerged that around 40 members of staff had accessed the medical records of a three-year-old boy injured in a crocodile attack. The child was treated at Addenbrooke’s following a horrific incident at a zoo near Huntingdon earlier this month. He survived. His family now has to contend with the knowledge that dozens of hospital staff looked at his records, and the trust is still trying to establish whether any of them had a legitimate clinical reason to do so.
It is a striking story. It is also, unfortunately, not a new one.
In May, it was revealed that 48 staff at Aintree Hospital — part of the University Hospitals of Liverpool Group — had inappropriately accessed the records of Southport attack victims, including a 13-year-old girl and dance instructor Leanne Lucas, who had been stabbed five times. That breach happened in the days after the July 2024 attack and was not disclosed to those affected for nearly two years. When it was finally revealed, Leanne Lucas described the decision to keep it from her as “a new low” and accused the trust of attempting a cover-up. The disciplinary outcomes? Informal counselling to final written warnings. Nobody was dismissed.
A week later, it emerged that up to 150 staff at Nottingham University Hospitals had accessed the records of the victims of the 2023 Nottingham stabbings — Barnaby Webber, Grace O’Malley-Kumar, and Ian Coates. Eleven people were dismissed. Twelve received final written warnings. Two received first written warnings. Barnaby’s mother, Emma Webber, described the scale as “shocking” and disputed the trust’s finding that 48 of those who accessed the records had legitimate reasons to do so.
Three incidents. Three trusts. Three very different responses.
The training narrative doesn’t hold up
Every time something like this happens, there is a familiar sequence. The trust apologises. It refers itself to the ICO. It says it has strict policies in place. It promises to review its training. And then, some months or years later, exactly the same thing happens somewhere else.
I want to challenge the training narrative directly, because I think it lets organisations off the hook in a way they don’t deserve.
Every NHS employee in England completes mandatory data security training. The Data Security and Protection Toolkit requires it. Trusts report on it annually. The content is not ambiguous: you do not access patient records unless you have a legitimate clinical or operational reason to do so. That is not a subtle point buried in a policy document. It is the first principle of patient confidentiality, and anyone who has worked in a healthcare setting for more than a week has encountered it.
So when 40 staff at Addenbrooke’s, or 48 at Aintree, or potentially 150 at Nottingham University Hospitals, look up the records of a patient who has appeared in the news, it is not because they didn’t know it was wrong. It is because, in that moment, they made a calculation — whether consciously or not — that curiosity was worth the risk. And the reason they made that calculation is simple: they did not believe the consequences would be serious.
In some cases, they were right.
Inconsistency is its own message
The disciplinary outcomes across these three cases are not just inconsistent — they are incoherent. At Liverpool, nobody lost their job. At Nottingham, eleven people did. At Addenbrooke’s, the investigation is only just beginning. There is no visible common standard being applied, no sense that the NHS as a system has decided what this behaviour warrants.
This matters enormously from a behaviour change perspective. When staff across the NHS see that the same misconduct leads to a quiet word in one trust and dismissal in another, the message they receive is not “this is serious”. The message is “it depends on where you work and whether you get unlucky.” That is not a deterrent. It is a lottery, and people instinctively play lotteries when the prize — in this case, satisfying curiosity about a high-profile patient — feels worth the odds.
Training cannot fix this. No amount of e-learning modules will change the risk calculation if the consequences remain unpredictable and, in many cases, negligible.
Who's holding NHS trusts accountable for patient records breaches?
I have written before about the ICO’s approach to public sector enforcement, and I will not rehearse all of that here. But it is worth noting that in the Southport case, the trust notified the ICO and was “fully transparent about findings and actions taken.” The outcome, as far as we know, was no regulatory action beyond that notification.
The ICO has a long-standing tendency to treat self-referral and expressions of remorse as sufficient. It has also, over many years, adopted a markedly more lenient approach to public sector organisations than to private ones — a position it has explicitly acknowledged and, in effect, defended. The rationale has been that fining public bodies simply redirects money from frontline services. There is some logic to that argument. But it sits uneasily with the reality that the public sector handles some of the most sensitive personal data in existence: health records, social care histories, criminal justice information. If any sector should be held to a high standard, it is this one. The effect of the ICO’s approach has been to create a two-tier enforcement landscape in which public bodies know, at an institutional level, that the financial and regulatory consequences of a breach are likely to be minimal. For public sector bodies in particular, this creates a dynamic where the act of reporting a breach becomes a way of drawing a line under it rather than the beginning of meaningful accountability. Trusts have learned this. They refer themselves. They apologise. They announce training reviews. And the cycle continues.
The ICO needs to look at the pattern across these cases, not just the individual incidents in isolation. When the same type of breach keeps occurring, in different trusts, involving different high-profile patients, that is a systemic failure — and systemic failures require a systemic response.
The real question
The crocodile case is, in some ways, the starkest of the three. There is no grief, no shock, no proximity to a traumatic event that might explain — though never excuse — why a member of staff might have opened records they had no business looking at. This appears to be straightforward curiosity. A child arrived at Addenbrooke’s after a highly unusual and widely reported incident, and dozens of staff apparently decided to have a look.
That should prompt some uncomfortable questions inside the NHS about what is really happening with professional culture. Are staff genuinely clear that this is not a grey area? Do they understand that “I was curious” is not a defence? Do they believe, when they look at the records, that there is a meaningful chance they will face real consequences?
And critically: do line managers and clinical leads create the kind of environment where these things are openly discussed, where the boundary is clear, and where there is no ambiguity about expectations?
Because if the answer to any of those questions is no, adding another module to the mandatory training programme is not going to make the slightest difference.
The NHS has the policies. It has the training. What it appears to lack, in at least some of its trusts, is a culture where patient confidentiality is treated as a genuine professional obligation rather than a box to be ticked during mandatory training and then quietly set aside when someone interesting ends up in the next ward.
That is a leadership problem. Training has a role to play — the right training, delivered in the right way, reinforced by managers who treat these conversations as ongoing rather than annual. But training that is not backed by consistent consequences, and not embedded in a culture where confidentiality is genuinely valued, will not change behaviour. Ticking the compliance box and hoping for the best is not a strategy. It is how we end up having the same conversation again in six months’ time, about a different trust, and a different patient.
