Nottingham University Hospitals NHS Trust (NUH) has dismissed 11 members of staff and issued formal warnings to 14 others following an investigation into the unauthorised access of medical records belonging to the three victims of the Nottingham attacks, according to reporting by the BMJ.
What the Investigation Found
The inquiry, which got under way in early 2025, examined how staff across multiple roles — including doctors, nurses, other registered medical professionals, and administrative personnel — had accessed records they had no legitimate clinical reason to view. Of those who received warnings, two were issued first written warnings and 12 received final written warnings, the most serious sanction short of dismissal.
The three individuals whose records were accessed were Grace O'Malley-Kumar, aged 19; Barnaby Webber, also 19; and Ian Coates, 65, who worked as a school caretaker. All three were killed on 13 June 2023 in an attack carried out by Valdo Calocane, who had a diagnosis of paranoid schizophrenia.
A Serious Breach of Patient Privacy
The case has drawn attention to the vulnerability of sensitive health data in the aftermath of high-profile incidents, when public interest and institutional familiarity can combine to erode professional boundaries. Under UK data protection law and NHS information governance frameworks, access to patient records is restricted to those with a direct care relationship or a specific authorised purpose. Curiosity — however understandable in human terms — does not constitute a lawful basis for access.
NUH medical director Manjeet Shehmar issued a public statement acknowledging the harm caused to the victims' families.
The families of Ian, Grace, and Barnaby have had to endure much pain and heartache, and I am truly sorry that the actions of some of our staff have added to that.
The statement reflects a wider recognition within the trust that the breach compounded an already devastating set of circumstances for those closest to the victims.
The Broader Context of Data Privacy in Healthcare
Inappropriate access to medical records is not a new problem for NHS trusts, but cases involving victims of violent crimes or high-profile incidents tend to expose the scale of the issue more starkly. Healthcare workers are regularly reminded through mandatory training that accessing records without clinical justification — even when no information is shared externally — constitutes a breach of confidentiality and can carry serious professional consequences.
The range of roles implicated in the NUH investigation underscores that this is not solely a clinical governance issue. Administrative staff, who often have broad system access for operational reasons, were among those investigated alongside doctors and nurses. That breadth suggests the problem may be as much about access controls and audit culture as it is about individual conduct.
NHS organisations are required to maintain detailed audit logs of who accesses which records and when. These logs form the evidentiary basis for investigations of this kind. The fact that NUH was able to identify 25 individuals across different staff grades points to the effectiveness of those audit systems when they are actively reviewed — though questions remain about how quickly the access was detected and whether monitoring protocols were triggered in real time or only retrospectively.
Impact on Grieving Families
For the families of Grace O'Malley-Kumar, Barnaby Webber, and Ian Coates, the disclosure that their loved ones' private health information was viewed without authorisation represents a distinct and separate harm from the attacks themselves. Medical records can contain highly sensitive material — mental health histories, diagnoses, treatment details — and the knowledge that such information was accessed by people with no clinical need to see it has been described by the trust as an additional source of distress.
The victims' families had already been navigating a prolonged and painful public process, including criminal proceedings against Calocane, who pleaded guilty to manslaughter on the grounds of diminished responsibility rather than murder — a verdict that prompted significant public debate about the criminal justice system's handling of serious violence committed by individuals with severe mental illness.
Professional and Regulatory Consequences
Dismissal from an NHS trust for a data breach of this nature does not necessarily mark the end of professional consequences. Registered clinicians — doctors, nurses, and allied health professionals — may also face referral to their respective regulatory bodies, such as the General Medical Council or the Nursing and Midwifery Council, where findings of impaired fitness to practise could result in conditions on registration, suspension, or erasure.
The BMJ report does not specify whether any of the 11 dismissed staff have been referred to professional regulators, but such referrals are standard practice when registered professionals are dismissed for conduct that raises questions about their integrity or trustworthiness.
Systemic Questions Remain
While the disciplinary outcomes represent a degree of accountability, the case raises systemic questions about how NHS trusts manage access to records in the immediate aftermath of major incidents. When a violent event receives extensive local and national coverage, staff at nearby hospitals may have personal or community connections to those involved, creating conditions in which the temptation to look up records is heightened.
Some trusts have responded to past incidents by implementing temporary access restrictions or enhanced monitoring flags on the records of individuals involved in high-profile cases. Whether NUH had such measures in place at the time of the 2023 attacks, or whether this investigation has prompted a review of those protocols, has not been confirmed in publicly available statements.
The case, as reported by the BMJ, serves as a reminder that data protection obligations do not diminish in the wake of tragedy — and that the harm caused by breaches extends beyond abstract regulatory compliance to the lived experience of families already carrying profound grief.