48 staff. No dismissals. No ICO investigation. The Southport records breach tells us everything we need to know about insider threat.
When the news broke this week that 48 NHS staff had inappropriately accessed the medical records of Southport attack victims — and that the highest sanction any of them received was a final written warning — many people’s first reaction was disbelief. It should have been the second reaction too.
The facts, as reported by the Health Service Journal and widely covered since, are these. In July 2024, three children were murdered and ten others injured at a dance class in Southport. Some of the survivors were treated at University Hospitals of Liverpool Group. In the days that followed, an information access audit — the kind of routine monitoring system that every NHS trust should have in place — identified that 64 instances of suspicious access had occurred. Of the staff involved, 12 were found to have had a legitimate clinical reason to access the records. The remaining 48 did not.
The disciplinary outcomes ranged from informal counselling to a final written warning. Nobody was dismissed. The ICO was notified in August 2024 and chose not to conduct its own investigation, stating it was “satisfied” that no staff had broken data protection law by unlawfully obtaining personal data. The patients themselves were not told until this week — almost two years after the breach occurred.
There is a great deal to unpick here, and very little of it is reassuring.
This is an access control failure, not just a conduct failure
The first question any information security professional should ask is not “why did those 48 people look at those records?” but “why were they able to?”
Role-based access control is a fundamental principle of information security — and a specific requirement under ISO 27001. The idea is straightforward: people should only be able to access the information they need to do their job. A ward administrator in one department should not, by default, be able to pull up the clinical records of a patient in another. A receptionist should not be able to browse the records of high-profile cases unless they have a direct care responsibility.
If 48 members of staff with no legitimate reason to view these records were able to do so with apparent ease, that is a system design problem as much as it is a human behaviour problem. The trust has since introduced what it describes as “a digital solution which reduces inappropriate access to patient records of this nature.” That is welcome — but it also confirms that the technical controls were not adequate before the breach occurred.
This matters beyond the NHS. Any organisation holding sensitive personal data — and that is most organisations — needs to ask itself honestly whether access to that data is genuinely limited to those with a business need, or whether it has simply grown over time to include anyone who might occasionally find it convenient.
The audit worked. The response to it didn’t.
There is a detail in this story that deserves more attention than it has received: the audit identified the problem within days of the breach occurring. That is exactly what audit logging is supposed to do, and it is genuinely good practice.
The failure was not in the monitoring. It was in what happened next. The trust knew in August 2024. The patients didn’t find out until May 2026. We are told that at some point in 2025, senior leadership decided that telling the affected patients would not be in their best interests, on the basis that it might cause further distress. That is a decision that the patients themselves — including Leanne Lucas, who has spoken publicly about the breach — have described as a “cover-up.” The trust denies this characterisation.
Whatever the motivation, the decision sits uncomfortably alongside UK GDPR obligations. Data subjects have the right to be informed when their personal data has been breached in a way that is likely to result in a high risk to their rights and freedoms. Deciding, on their behalf, that they are better off not knowing is not a straightforward legal or ethical position to take — particularly when the individuals concerned have suffered significant trauma and have every reason to want to understand what happened to their information.
48 people is not a few bad apples
The legal director representing survivors made a point that is worth quoting directly: “This is more than a few bad apples when it was 48 different members of staff who, for no legitimate reason, chose to access vulnerable victims’ records. That speaks to a culture.”
She is right. When one person accesses records out of curiosity, that is a conduct issue. When 48 people do it independently, you have a culture in which staff do not genuinely understand — or do not genuinely believe — that browsing records without a care reason is serious.
This is where staff awareness training has a specific and important role. Not the kind of training that tells people what GDPR stands for and asks them to click “I understand” at the end of a module. The kind that is honest about consequences, that makes clear this is a disciplinary matter, and that addresses the rationalisation people use — “I’m a healthcare professional, I’m not going to misuse this” or “I was just curious, I didn’t do anything with it” — directly and without apology.
That kind of training requires people to actually design and deliver it thoughtfully. It cannot be outsourced entirely to a compliance tick-box.
What does “disciplinary action” actually mean here?
ISO 27001 requires organisations to have a documented disciplinary process for information security policy violations. The standard exists in part because experience has shown that without defined and enforced consequences, policies become aspirational rather than operational.
The disciplinary outcomes in this case — informal counselling through to a final written warning, with no dismissals — will be assessed by different people in different ways. Employment law is complex, and individual circumstances matter. But the collective picture is difficult to defend. People accessed the confidential medical records of knife attack survivors, including children who died, without any clinical reason to do so. The highest consequence faced by any of them was a warning that, in most employment contexts, expires from their record after a defined period.
The signal that sends to other staff — in that trust and beyond — is not a small thing. Disciplinary processes only deter if people believe they will be applied meaningfully.
The ICO’s approach to the public sector deserves scrutiny
The ICO confirmed it had been in contact with the trust since August 2024, had received regular updates, and had chosen not to conduct its own investigation. It stated it was “satisfied that no referrals have been made by the trust in respect to staff suspected of breaking data protection law.”
This is not the first time this pattern has emerged. A near-identical situation arose at Nottingham University Hospitals Trust, where staff accessed the records of victims of the Valdo Calocane attack. The ICO’s response there followed a similar trajectory.
There is a well-documented tension in how the ICO approaches public sector organisations versus private sector ones. Indeed, this is an issue we have blogged about previously. The regulator has issued substantial fines to private sector organisations for breaches that, in terms of the sensitivity of data involved and the number of individuals affected, are arguably less serious than this one. Public sector bodies tend to receive reprimands and undertakings rather than financial penalties — partly because fining an NHS trust ultimately reduces the money available for patient care, which creates an obvious political difficulty.
That is an understandable tension. But it has a consequence: organisations in the public sector receive a materially weaker regulatory signal about the seriousness of data protection failures than their private sector equivalents. And the public sector holds some of the most sensitive personal data that exists — medical records, social care records, criminal justice data, records of children.
The ICO’s approach in this case may be legally defensible. Whether it is proportionate to what happened to the victims of the Southport attack is a different question.
What should organisations take from this?
If you are responsible for information security in your organisation — regardless of sector — this case is worth examining seriously. The questions it raises are not unique to the NHS:
- Are your access controls genuinely role-based, or has access to sensitive data accumulated over time beyond what is actually needed?
- Do you have audit logging in place, and do you review it — not just in response to incidents, but as a matter of routine?
- Does your staff awareness training address insider threat honestly, including the disciplinary consequences of inappropriate access?
- Is your disciplinary process for information security violations documented, understood, and consistently applied — or is it theoretical?
- When a breach occurs, do you have a clear process for assessing notification obligations — to the ICO and to the individuals affected — that isn’t left to a judgment call made quietly by senior management?
None of these questions are comfortable. But they are considerably less uncomfortable than explaining to someone whose records were browsed without reason why you didn’t think they needed to know.
Cambridge Risk Solutions works with organisations across the public and private sector on information security, data protection and ISO 27001. If any of the questions above have prompted a conversation you need to have, we’re happy to help you have it.
