An NHS trust has dismissed 11 employees who unlawfully accessed the medical records of victims of the Nottingham attacks. Valdo Calocane killed two 19-year-old students, Barnaby Webber and Grace O’Malley-Kumar, along with 65-year-old caretaker Ian Coates, and attempted to kill three others in June 2023.
Disciplinary actions taken
Nottingham University Hospitals NHS Trust (NUH) confirmed that the staff members were sacked as part of an investigation into the inappropriate access of victims' medical files. A further 14 employees have received written warnings but remain in their roles. Those investigated included doctors, nurses, registered medical professionals, and administrators. The specific roles of those dismissed have not been disclosed.
Emma Webber, mother of Barnaby Webber, expressed shock at the scale of misconduct. “To learn that 11 staff have been dismissed and 14 faced disciplinary actions is shocking. What is more shocking is the scale of misconduct – 150 members of staff accessed the records. The process is not yet complete, so we anticipate these numbers to escalate considerably,” she said.
She added that the trust’s finding that 48 staff had legitimate access was unacceptable. “The number is far too high. The rationale given for legitimacy does not stack up, and we are formally challenging this. It’s heartbreaking that on top of our tragic loss, we’ve also had to face such appalling additional failures by members of staff who should know better.”
Trust apologises
Dr Manjeet Shehmar, medical director at NUH, apologised to the victims’ families and emphasised that prying into medical records would not be tolerated. “The families of Ian, Grace, and Barnaby have had to endure much pain and heartache, and I am truly sorry that the actions of some of our staff have added to that. To access the medical records of our patients without a legitimate reason is totally unacceptable,” she said.
She added: “It is essential that access to patient records is lawful, justified, and directly related to their role. By accessing records inappropriately, staff are damaging the valuable contributions made by those colleagues providing care. In those cases where it does happen, I hope that this is a very clear reminder that we will take appropriate action.”
The trust has informed the Information Commissioner’s Office and Nottinghamshire Police. Follow-up actions will involve independent regulators such as the Nursing and Midwifery Council and the General Medical Council.
Similar breach at Liverpool trust
Last week, hospital staff at the University Hospitals of Liverpool Group (UHLG) were accused of a “new low” after it emerged that 48 staff had accessed medical records of victims of the Southport attack without legitimate reason. Bebe King, six, Elsie Dot Stancombe, seven, and Alice da Silva Aguiar, nine, were killed at a Taylor Swift-themed dance event on July 29, 2024. Ten others were seriously injured by Axel Rudakubana, now 19, who was sentenced to a minimum of 52 years in prison.
Leanne Lucas, a dance class teacher who survived the attack, was among those whose records were inappropriately accessed. She said: “I am absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable. Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma.”
The trust board chose not to inform those affected, deciding that disclosure would not be in their best interests due to the risk of retraumatisation. Nicola Brook, a legal director at Broudie Jackson Canter representing three survivors, called this “a truly unbelievable breach of privacy for victims of one of the most horrific attacks this country has ever seen.”
UHLG chief executive James Sumner issued a formal apology, stating: “We are sincerely sorry for any distress that may have been caused to the patients that were under our care and who trusted us to look after them when they were most vulnerable. Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care.”
