A dance teacher who survived the Southport attack has accused hospital staff of a “new low” after it emerged that 48 employees inappropriately accessed the medical records of victims. Leanne Lucas, who was seriously injured in the July 2024 stabbing spree that killed three young girls, said the decision to withhold this information for nearly two years amounted to an “attempted cover-up.”
Background of the Attack
The attack occurred on July 29, 2024, during a Taylor Swift-themed dance class in Southport. Bebe King, six, Elsie Dot Stancombe, seven, and Alice da Silva Aguiar, nine, were killed. Ten others, including Ms. Lucas, were seriously injured. The perpetrator, Axel Rudakubana, then 18, was sentenced to a minimum of 52 years in prison.
Hospital Audit Reveals Breach
Some of the injured were treated at University Hospitals of Liverpool Group (UHLG). According to the Health Service Journal (HSJ), a standard information access audit conducted days after the incident found that 48 staff members had accessed victims’ records without legitimate reason. However, patients were only informed this week.
Ms. Lucas, who was treated at UHLG, expressed devastation. “Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma. The decision to keep this from me for almost two years is a new low,” she said.
The trust denied a cover-up, stating it originally planned to inform patients but changed its mind in 2025, believing disclosure could retraumatise them.
Legal and Disciplinary Actions
Nicola Brook, Legal Director at Broudie Jackson Canter, representing three survivors, called the breach “truly unbelievable.” She said: “This is more than a few bad apples when it was 48 different members of staff who for no legitimate reason chose to access vulnerable victims’ records. That speaks to a culture that will only change if there are real consequences.”
The internal report identified 64 suspicious access cases. Four staff left before investigation; of the remaining 60, 12 had legitimate reasons. The other 48 faced disciplinary action ranging from informal counselling to final written warnings, though none were dismissed.
UHLG chief executive James Sumner apologised: “Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care.” He said the trust notified regulators, including the Information Commissioner’s Office (ICO), and implemented a digital solution to reduce inappropriate access.
Similar Incident at Nottingham
This breach follows a similar case at Nottingham University Hospitals Trust, where staff accessed records of victims of the Valdo Calocane attack. Families described it as “sickening” and a “gross invasion of privacy.”
The ICO confirmed it was informed of the Liverpool breach in August 2024 but did not launch its own investigation, stating it was “satisfied” no data protection laws were broken regarding unlawful obtaining of personal data.
