Nottingham NHS Trust Investigates Staff Over Data Breaches Linked to 2023 Attacks
Nottingham University Hospitals (NUH) NHS Trust is scrutinizing staff members following unauthorized access to medical records of victims connected to the June 13, 2023, attacks by Valdo Calocane. The assailant, diagnosed with paranoid schizophrenia in 2020, killed three individuals Barnaby Webber, Grace O’Malley-Kumar, and Ian Coates and severely injured three others, including Wayne Birkett and Sharon Miller, after stealing a van and striking pedestrians.
An internal investigation revealed that 11 NUH employees were dismissed for inappropriately accessing the victims’ records, with four identified as nurses, one as an "other registered professional," and six as "other staff." Additionally, four doctors, five nurses, one registered professional, and two staff members received final written warnings. The trust initially focused only on the deceased victims’ records, overlooking the surviving victims until their solicitor contacted NUH in March 2025.
NUH’s medical director, Manjeet Shehmar, testified at a public inquiry that she was unaware of the surviving victims during the initial probe, admitting the oversight only after being prompted. She acknowledged relying on media reports for details of the attacks rather than direct institutional knowledge. The inquiry also highlighted systemic failures in Calocane’s mental health care, with the trust acknowledging errors in his treatment.
The investigation into staff misconduct remains ongoing, as the trust re-examines disciplinary actions in light of the inquiry’s findings. The attacks and subsequent breaches have underscored critical gaps in both data security and victim support within the NHS.
Source: https://www.bbc.com/news/articles/ce8pjmjg57po
Nottingham University Hospitals cybersecurity rating report: https://www.rankiteo.com/company/nottingham-university-hospitals
"id": "NOT1779892409",
"linkid": "nottingham-university-hospitals",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Victims of the June 13, 2023 '
'attacks (6 individuals)',
'industry': 'Healthcare',
'location': 'Nottingham, UK',
'name': 'Nottingham University Hospitals (NUH) NHS '
'Trust',
'type': 'Healthcare Provider'}],
'attack_vector': 'Insider Threat',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (medical and personal '
'information of victims)',
'type_of_data_compromised': 'Medical records'},
'date_detected': '2023-06-13',
'date_publicly_disclosed': '2025-03',
'description': 'Nottingham University Hospitals (NUH) NHS Trust is '
'scrutinizing staff members following unauthorized access to '
'medical records of victims connected to the June 13, 2023, '
'attacks by Valdo Calocane. The investigation revealed that 11 '
'employees were dismissed and others received warnings for '
"inappropriately accessing victims' records, including those "
'of surviving victims initially overlooked.',
'impact': {'brand_reputation_impact': 'Negative impact on NHS trust '
'reputation',
'data_compromised': 'Medical records of victims',
'identity_theft_risk': 'Potential risk due to exposure of medical '
'records',
'operational_impact': 'Internal investigation and disciplinary '
'actions',
'systems_affected': 'NUH NHS Trust patient record systems'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Critical gaps in data security, victim support, and '
'oversight of staff access to sensitive records were '
'identified. Systemic failures in mental health care were '
'also highlighted.',
'motivation': 'Unauthorized curiosity or misuse of access',
'post_incident_analysis': {'corrective_actions': 'Re-examination of '
'disciplinary actions, '
'improved staff training, '
'and enhanced monitoring of '
'record access.',
'root_causes': 'Unauthorized staff access to '
'sensitive records, lack of '
'oversight, and systemic failures '
'in victim support and mental '
'health care.'},
'recommendations': 'Improve staff training on data access policies, enhance '
'monitoring of sensitive records, and ensure comprehensive '
'victim support protocols.',
'references': [{'source': 'Public inquiry testimony'}],
'regulatory_compliance': {'regulations_violated': 'Likely GDPR and NHS data '
'protection policies'},
'response': {'communication_strategy': 'Public inquiry testimony and internal '
'communications',
'containment_measures': 'Disciplinary actions against staff',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Re-examination of disciplinary actions '
'and victim support'},
'threat_actor': 'NUH NHS Trust staff members',
'title': 'Nottingham NHS Trust Investigates Staff Over Data Breaches Linked '
'to 2023 Attacks',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized access by staff'}