Nottingham University Hospitals NHS Trust has issued an apology after a public inquiry revealed that survivors of the Nottingham attacks were not properly considered when a major data breach investigation began. Medical director Manjeet Shehmar acknowledged that the trust’s early response caused additional distress to victims and their families, admitting that the initial focus was too narrow and primarily centered on the families of those who died rather than including the people who survived the attack.
The breach stems from the June 13, 2023 attacks carried out by Valdo Calocane, who murdered three people and seriously injured three others at locations in and around Nottingham. Following the attacks, it was discovered that staff at the trust had inappropriately accessed medical records belonging to victims without proper authorization. The trust launched an internal investigation in 2025, which uncovered widespread unauthorized access to sensitive patient information during a period when survivors and bereaved families were already coping with extreme trauma.
The inquiry found that 11 employees were dismissed after the trust confirmed multiple serious breaches of data protection protocols. The dismissed staff included nurses and other healthcare workers, indicating that the unauthorized access was not confined to a single department. Several other employees received final written warnings or first written warnings. The scale of the dismissals and warnings highlighted how deeply the breach penetrated the trust’s operations and raised serious concerns about internal safeguards for protecting patient records.
Survivors’ legal representatives had to intervene before the trust fully recognized that survivors should be included in the inquiry process from the beginning. This delay meant that the emotional and psychological impact on the people who lived through the attack was not initially addressed, even though they were directly affected by both the original violence and the subsequent data breach. The trust acknowledged that it failed to consider survivors from the start, which compounded the distress caused by the breach.
The case has become a significant example of how institutions must balance their duty to investigate data breaches with their responsibility to protect the well-being of victims. For survivors and bereaved families, critical questions remain about what specific information was accessed, who viewed the records, and why existing safeguards were not strong enough to prevent unauthorized access. The inquiry continues to examine these issues as part of a broader review of institutional responses to major crimes when the very systems meant to protect patients fail during times of crisis.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: