Key Points
- A father of a 13-year-old Southport attack survivor has accused North West Ambulance Service (NWAS) of a “complete breach of trust” over possible inappropriate access to his daughter’s medical records.
- The allegation emerges after it was revealed in May 2025 that nearly 50 staff at Aintree Hospital (NHS University Hospitals Liverpool Group) had looked at injured victims’ records without good reason.
- An internal NWAS document suggests under 10 ambulance service individuals may have accessed incident-related patient data without cause; the trust is now investigating and has notified the Information Commissioner’s Office (ICO).
- Solicitors at Fletchers Solicitors, representing the girl and 21 other survivors, are calling for a full-scale review by NHS England of guidance and disciplinary procedures for staff who inappropriately access patient data.
- Dance instructor Leanne Lucas, one of three adult survivors, says she is “devastated and horrified,” describing the new potential breach as “insult added to injury” after her own records were wrongly accessed at Aintree.
- NWAS chief executive Salman Desai states the trust will contact affected families as enquiries progress, treats any inappropriate access “extremely seriously,” and has offered apologies for the concern and distress caused.
- The ICO says it will assess evidence provided in due course and consider next steps, including whether criminal investigations are needed for breaches of data protection law.
- No ambulance staff have been formally disciplined so far, though NWAS says it has “strengthened their HR process for future incidents.”
- The father cannot be identified due to an anonymity order protecting his daughter, who was helping supervise a Taylor Swift-themed dance class before being stabbed in the back and arm.
- The case has intensified concerns about a “culture of snooping” within the NHS, with calls for a robust, system-wide policy review to prevent further intrusions into victims’ private medical information.
Southport (Liverpool Standard) July 14, 2026 – The father of a girl seriously hurt in the uk/local/southport/">Southport attack has accused North West Ambulance Service (NWAS) of a “complete breach of trust” as it emerged that the service is investigating whether staff inappropriately accessed victims’ medical records. He described the possible breaches as “appalling” and alleged that some ambulance staff “just wanted to satisfy their own morbid curiosity.”
- Key Points
- Why does the father describe the breach as a “complete breach of trust”?
- How did the family discover the ambulance service’s possible data access?
- What uncertainties remain about what data was viewed?
- How have other survivors reacted to the latest potential breach?
- What do solicitors say about a “culture of snooping” in the NHS?
- What responses have NWAS and the ICO given?
- Background: How did the Southport attack and subsequent data breaches unfold?
- Prediction: What impact could this development have on Southport attack survivors and the wider public?
The allegation comes after it was revealed earlier in May 2025 that dozens of workers at Aintree Hospital, where some of the injured were treated, had looked at the records with no good reason. As reported by BBC News, three young girls Alice da Silva Aguiar, Bebe King, and Elsie Dot Stancombe – were murdered in the attack, while 10 others were physically injured.
Why does the father describe the breach as a “complete breach of trust”?
The father of a girl who was 13 when she was injured but survived the attack said: “It is a complete breach of trust in our darkest hours as a family and dampens how you feel about the amazing work they do to save lives.” He added:
“It was already incredibly difficult to think that staff at Aintree hospital had needlessly pried into our daughter’s condition.”
The man cannot be identified due to an anonymity order protecting his daughter, who had been helping to supervise the dance class before she was stabbed in the back and arm. According to the Liverpool Standard, solicitors acting for the girl and for another 21 of the 23 girls who survived the attack are calling for a full-scale review by NHS England into the guidance and disciplinary procedures for staff who inappropriately access patient data.
How did the family discover the ambulance service’s possible data access?
The calls for a review come after another trust, NHS University Hospitals of Liverpool Group (UHLG), admitted in May that nearly 50 staff members at Aintree Hospital had looked inappropriately at the medical records of some of the injured victims in the days after the attack. Fletchers Solicitors, which is already investigating this breach, said the family were reviewing documents given to them by UHLG about the breaches at Aintree, when they saw information that said staff from North West Ambulance Service might have also accessed their daughter’s records without cause.
It said a document stated that under 10 individuals might have inappropriately accessed the incident within the ambulance service. The father explained that after learning about the Aintree incident, “to then learn that ambulance staff have done the same and we have only found out by raking through these documents is appalling.”
What uncertainties remain about what data was viewed?
The father said the NHS trusts were still unable to tell them with certainty whether photographs of their daughter’s injuries were viewed by staff and “so we don’t know what to believe.” He added:
“The decision to share what happened to her should have been our daughter’s to make, now nobody can guarantee what data was shared and retained.”
“They’ve had multiple chances to tell us about this but instead we have been left to discover it all two years later, when we should be focusing on recovering and moving forward.” As reported by the BBC, the solicitors firm added that the ambulance trust was “not formally disciplining” staff but had “strengthened their HR process for future incidents.”
How have other survivors reacted to the latest potential breach?
Leanne Lucas was critically injured and required multiple surgeries after the attack. Leanne Lucas, who was the instructor at the Taylor Swift-themed dance event where the attack took place, and is one of the three adult survivors, said she was “devastated and horrified” by the latest potential data breach.
“Life has never been the same since 29 July 2024, and so many people are still living with the trauma of that day,” she said.
“To now learn of another potential data breach is deeply upsetting, particularly after staff at NHS University Hospitals of Liverpool wrongly accessed my medical records. It feels like insult added to injury.”
She said she was now waiting to hear from the ambulance trust as to whether her records were accessed by staff there.
“Whatever the outcome, I hope there is a thorough investigation, full transparency for everyone affected, and robust measures put in place to ensure this can never happen again,”
she added.
What do solicitors say about a “culture of snooping” in the NHS?
Nicola Ryan-Donnelly, associate solicitor at Fletchers Solicitors, said:
“The recent string of patient data breaches has shown there is a deep-rooted culture of snooping within the NHS.”
“People who are seriously injured or dying should not have the added worry that they are being pried on, as they are rushed into hospital fighting for their lives.”
“We want to see a full review by NHS England of the current policy governing all NHS staff on inappropriate patient data breaches.” As reported by the BBC, NWAS has notified the Information Commissioner’s Office (ICO).
What responses have NWAS and the ICO given?
NWAS chief executive Salman Desai said it was investigating after it had “identified concerns about potential inappropriate access to patient records.” Desai added:
“We will contact families and patients who may have been affected as our enquiries progress. Any inappropriate access to patient information will be treated extremely seriously. We are deeply sorry for the concern and distress this may cause.”
NWAS has notified the Information Commissioner’s Office (ICO). UHLG, which runs Aintree Hospital, has previously said the breach there was “inexcusable” and changes had been made – although no-one was sacked.
An ICO spokesperson said NWAS had made them aware of their internal investigation into the potential inappropriate access of medical records by staff.
“As this is ongoing, we will assess any evidence provided in due course and consider our next steps, including whether any criminal investigations need to be opened for breaking data protection law,”
they said.
They added the ICO was supporting organisations to address the wider issue of data breaches across the health sector, working closely with the National Data Guardian and NHS England.
Background: How did the Southport attack and subsequent data breaches unfold?
On 29 July 2024, a stabbing attack occurred during a Taylor Swift-themed dance class in Southport, resulting in the deaths of three young girls – Alice da Silva Aguiar, Bebe King, and Elsie Dot Stancombe – and physical injuries to 10 others. Multiple victims, including children and adults, were treated at Aintree Hospital, part of NHS University Hospitals of Liverpool Group (UHLG).
In May 2025, UHLG admitted that nearly 50 staff at Aintree Hospital had accessed medical records of some injured victims without good reason, describing the breach as “inexcusable.” This discovery prompted legal action by Fletchers Solicitors, representing many of the survivors, and raised wider concerns about data protection practices across NHS trusts.
The current allegation against NWAS adds to that pattern, with internal documents suggesting under 10 ambulance service staff may have inappropriately accessed incident-related patient data. The trust has launched an internal investigation, informed the ICO, and stated it will contact potentially affected families as the enquiry progresses.
Prediction: What impact could this development have on Southport attack survivors and the wider public?
For the families of the Southport attack victims, this development risks deepening trauma by undermining confidence that their most sensitive medical information is being handled with care and respect. As the father of one survivor stated, the breaches “dampen how you feel about the amazing work they do to save lives,” which could affect willingness to engage fully with NHS services during long-term recovery and rehabilitation.
For the wider public, the case reinforces concerns about a “culture of snooping” within the health sector and may lead to increased scrutiny of how NHS staff access patient data, potentially resulting in stricter policies, more robust disciplinary frameworks, and greater transparency. If the ICO pursues criminal investigations or if NHS England implements a full policy review, the changes could affect data access practices across all NHS trusts, not just those directly involved in the Southport breaches.
In the longer term, if responses are perceived as inadequate, trust in NHS data protection could be eroded, making patients more cautious about sharing information and potentially complicating clinical care. Conversely, if the outcome includes clear accountability, transparent communication, and systemic reforms, it could help restore confidence and set a stronger standard for data governance across the health sector.
