Help end medical misogyny. Sign our petition.

Help end medical misogyny.
Sign our petition.

Sign the petition

Please or to access all these features

AIBU?

Share your dilemmas and get honest opinions from other Mumsnetters.

NHS staff accessing medical records inappropriately in high profile or tragic news stories.

224 replies

HavfrueDenizKisi · 26/06/2026 12:02

What the hell is wrong with people who work for the NHS and still somehow think it’s ok to voyeuristically access the medical records of patients who have been in the news?

Just read this article about 40 members of staff being investigated over the inappropriate viewing of this poor boy’s medical records. Read a similar article a few weeks back about the medical records of the victims of the Nottingham attack being accessed. Something like 11 people were sacked and 12 given final warnings about that (somehow suggesting it wasn’t their first time doing so).

Surely it is pretty fucking clear when you start working for the NHS that this is Absolutely Not Allowed. Plus it must be clear that there is a digital trail left behind of anyone accessing records. Honestly the mind boggles.

Link to article on BBC:

https://www.bbc.co.uk/news/articles/cvg5kvpdd15o

A uniformed police office stands in front of a bricked barn has a car park outside the front on the left. There is a fence on the right which opens into a court yard and there are signs on the door. There is a police car parked in the car park.

Crocodile attack: Hospital probe after boy's records accessed

Cambridge University Hospitals refers itself to the Information Commissioner over the breach.

https://www.bbc.co.uk/news/articles/cvg5kvpdd15o

OP posts:
Oldwmn · 28/06/2026 14:18

HavfrueDenizKisi · 26/06/2026 12:16

@TBC99yes not much more can happen than losing their jobs or being disciplined however it’s the fact that they do this knowing this gets audited and they will get caught and they still go ahead. I mean it does suggest a much wider problem IMO.

I don't think so. People do stupid things all the time &, apart from being warned at the outset that it is gross misconduct, I don't see what can be done. It is part of the great tapestry of human nature & no one has ever been able to overcome that!

godmum56 · 28/06/2026 14:35

Oldwmn · 28/06/2026 14:18

I don't think so. People do stupid things all the time &, apart from being warned at the outset that it is gross misconduct, I don't see what can be done. It is part of the great tapestry of human nature & no one has ever been able to overcome that!

yup. people have it won't happen to me -itis. They use mobiles while driving, record themselves doing stupid things in cars on their own dashcams, lend their shoplifting relatives their company discount cards, do their own gas and electricity repairs...endless list really.

RichardMarxisinnocent · 28/06/2026 14:39

DistantEarlyWarning · 26/06/2026 12:46

There is. That’s how people are caught.

There is in some NHS IT systems but not in all of them. The ones I work with don't have that (I work in IT).

There is an audit of who has looked at or updated each patient record, but it's a passive audit where you have to decide to check who has looked at patient X, or decide to look at which patients doctor X has looked at. There is no real time alert that says "doctor X has looked at patient Y". Even if there was you'd then have to investigate to see if the record was accessed for legitimate purposes.

For patients who have been in the news you could probably set up an alert or some sort and that seems worthwhile to do, and feasible to then investigate each access. It's not really feasible to real time alert for every single patient record accessed daily though as that would be huge numbers and completely impractical.

You could potentially set up an alert when a staff member looks at a patient who shares their surname or address to catch them looking at relatives or people they live with, but that's not going to catch people looking at friends or neighbours or relatives with different surnames.

RichardMarxisinnocent · 28/06/2026 14:49

Grandmistress991 · 26/06/2026 14:24

..as an ex nurse I know this is a stackable offence and it was made crystal clear to all staff from the outset. Yet we have Palantir accessing and likely abusing people's personal data within the nhs.
So if you dont like the situation where healthcare workers not.involved in your care access your health record then you really need to familiarise yourself about the absolute shxtshow that is Palantir.

Yep I am really quite angry about the Palantir shitshow.

SerendipityJane · 28/06/2026 15:26

RichardMarxisinnocent · 28/06/2026 14:39

There is in some NHS IT systems but not in all of them. The ones I work with don't have that (I work in IT).

There is an audit of who has looked at or updated each patient record, but it's a passive audit where you have to decide to check who has looked at patient X, or decide to look at which patients doctor X has looked at. There is no real time alert that says "doctor X has looked at patient Y". Even if there was you'd then have to investigate to see if the record was accessed for legitimate purposes.

For patients who have been in the news you could probably set up an alert or some sort and that seems worthwhile to do, and feasible to then investigate each access. It's not really feasible to real time alert for every single patient record accessed daily though as that would be huge numbers and completely impractical.

You could potentially set up an alert when a staff member looks at a patient who shares their surname or address to catch them looking at relatives or people they live with, but that's not going to catch people looking at friends or neighbours or relatives with different surnames.

What you really mean is your systems are not fit for purpose. 4 little words.

Thank Christ the NHS hasn't spunked untold billions on them with private companies, or it would be in a right state.

MrsPapillon · 28/06/2026 15:39

I’ve posted this before, but years ago I took my son to hospital for a paediatric appointment. Halfway through, another doctor knocked on the door and said “They’re back” and my DS’s doctor said “Excuse me, I just need to check something”. I assumed it was something urgent. The doctor looked pained and shook his head and said to the other doctor “There’s no chance”.

I must have looked quite shocked/upset and he turned to me and said “Oh don’t worry, it’s just Wayne Rooney’s foot. He was injured during a match this week (I think it was a World Cup) and there’s been a lot of speculation about whether it’s broken, and it is. So he’ll be out for the rest of the tournament”.

RichardMarxisinnocent · 28/06/2026 15:43

SerendipityJane · 28/06/2026 15:26

What you really mean is your systems are not fit for purpose. 4 little words.

Thank Christ the NHS hasn't spunked untold billions on them with private companies, or it would be in a right state.

You could argue that, but clinicians working in busy ward or ED environments could equally argue that anything which slows down them in accessing the system (such as an extra drop down to justify why they are looking at a record, or as a PP mentioned the login taking a long time) also makes the system not fit for purpose. I have lost count of how many times we've had complaints about potential new and necessary functionality requiring "too many clicks". It's really difficult to balance the two arguments and have a system which satisfies both.

godmum56 · 28/06/2026 16:06

RichardMarxisinnocent · 28/06/2026 15:43

You could argue that, but clinicians working in busy ward or ED environments could equally argue that anything which slows down them in accessing the system (such as an extra drop down to justify why they are looking at a record, or as a PP mentioned the login taking a long time) also makes the system not fit for purpose. I have lost count of how many times we've had complaints about potential new and necessary functionality requiring "too many clicks". It's really difficult to balance the two arguments and have a system which satisfies both.

Some clinicians (and I was one, a clinician, not a moaner!) will moan about anything. When manual handling equipment was brought in - and it was primarily done to prevent injury to staff - moaned that it "took too long" to use a hoist. Some hoists were actually over the bed that the patient was in, the others were stored at the end of the ward...say 20 extra steps each way

Womblingwombats · 28/06/2026 16:27

I understand concerns regarding not creating too many barriers so that the system doesn’t become unusable. For this reason I think all access (name, dept, location) should be easily viewed by patients so they can determine if access to their records seems legitimate. This is possible currently but it’s not ‘switched on’. Audits are currently able to identify high profile breaches but identifying day to day snooping is far harder and not routinely done. I’d also suggest sanctions need to be objective and more uniformly applied. I find it amazing that people genuinely think staff are always sacked. It depends on many factors and can be influenced by position, relationships etc. In the case I was affected by the doctor was just give a verbal warning despite it being a very egregious case. The wording of everything to do with sanctions is vague and always states sanctions can ‘include dismissal’. It’s very much not a given. The same as ‘it’s illegal’ - it is but who’s prosecuting? It’s rarely used. If we sort these things then I think records would be much safer

londontoibiza · 28/06/2026 16:31

Womblingwombats · 28/06/2026 16:27

I understand concerns regarding not creating too many barriers so that the system doesn’t become unusable. For this reason I think all access (name, dept, location) should be easily viewed by patients so they can determine if access to their records seems legitimate. This is possible currently but it’s not ‘switched on’. Audits are currently able to identify high profile breaches but identifying day to day snooping is far harder and not routinely done. I’d also suggest sanctions need to be objective and more uniformly applied. I find it amazing that people genuinely think staff are always sacked. It depends on many factors and can be influenced by position, relationships etc. In the case I was affected by the doctor was just give a verbal warning despite it being a very egregious case. The wording of everything to do with sanctions is vague and always states sanctions can ‘include dismissal’. It’s very much not a given. The same as ‘it’s illegal’ - it is but who’s prosecuting? It’s rarely used. If we sort these things then I think records would be much safer

Edited

Patients would have no idea whether access was appropriate or not.

Womblingwombats · 28/06/2026 16:33

londontoibiza · 28/06/2026 16:31

Patients would have no idea whether access was appropriate or not.

You would definitely know if your neighbour’s name was there and had nothing to do with your care. In our case we knew the doctor did it bacause she shared something otherwise we would have had no idea. Plus it would be genuine deterrent to those who feel they can get away with snooping.

londontoibiza · 28/06/2026 16:36

Womblingwombats · 28/06/2026 16:33

You would definitely know if your neighbour’s name was there and had nothing to do with your care. In our case we knew the doctor did it bacause she shared something otherwise we would have had no idea. Plus it would be genuine deterrent to those who feel they can get away with snooping.

Edited

And when patients start to kick off about every single access?

Womblingwombats · 28/06/2026 16:42

I personally don’t think they will and I also patients have a right to know. The balance between access and protecting patients is a v tricky one and it’s hard to find an ideal solution

NowSober · 28/06/2026 16:46

Womblingwombats · 28/06/2026 16:42

I personally don’t think they will and I also patients have a right to know. The balance between access and protecting patients is a v tricky one and it’s hard to find an ideal solution

Upthread I was criticised because I was unapologetic about accessing my own record to print off a path lab result confirming I had COVID-19. Patients have a right to access their own records.

londontoibiza · 28/06/2026 16:47

Womblingwombats · 28/06/2026 16:42

I personally don’t think they will and I also patients have a right to know. The balance between access and protecting patients is a v tricky one and it’s hard to find an ideal solution

They absolutely would.

SerendipityJane · 28/06/2026 16:48

RichardMarxisinnocent · 28/06/2026 15:43

You could argue that, but clinicians working in busy ward or ED environments could equally argue that anything which slows down them in accessing the system (such as an extra drop down to justify why they are looking at a record, or as a PP mentioned the login taking a long time) also makes the system not fit for purpose. I have lost count of how many times we've had complaints about potential new and necessary functionality requiring "too many clicks". It's really difficult to balance the two arguments and have a system which satisfies both.

You could argue that, if you didn't know what was possible. Or didn't want to pay for it. Or were confused by the two. Or deliberately confusing the two for some reason or another.

Or you could just deliver something that did the job/

Depends where your priorities are.

Womblingwombats · 28/06/2026 16:50

Out of interest, what do you think the best system would look like? @londontoibiza

londontoibiza · 28/06/2026 17:01

Womblingwombats · 28/06/2026 16:50

Out of interest, what do you think the best system would look like? @londontoibiza

Edited

The system now works fine. People get audited and caught.

Womblingwombats · 28/06/2026 17:02

londontoibiza · 28/06/2026 17:01

The system now works fine. People get audited and caught.

It doesn’t sadly. It really doesn’t

londontoibiza · 28/06/2026 17:05

Womblingwombats · 28/06/2026 17:02

It doesn’t sadly. It really doesn’t

It does.

You cannot legislate against every single thing a person might do.

Womblingwombats · 28/06/2026 17:06

londontoibiza · 28/06/2026 17:05

It does.

You cannot legislate against every single thing a person might do.

As someone with lived experience I can tell you the implications can be terrible. I’m stepping away as this topic is obviously far more personally difficult for me than for others

SerendipityJane · 28/06/2026 17:13

Womblingwombats · 28/06/2026 17:02

It doesn’t sadly. It really doesn’t

You need to separate between malice and incompetence.

A really good use of "AI" that you are unlikely to hear about would be to monitor logging in real time, and look for anything which falls outside the learned patterns of work, which could trigger an action plan to isolate and inspect the logs and identify unauthorised access in near real time.

It won't happen, naturally. But hopefully it gives us all a warm feeling to know it's out there.

ArtfulCoralHiker · 28/06/2026 17:38

Luckily, NHS management also thinks it's completely inappropriate to the point of being a sackable offence. At my workplace, every time there's a story like this in the news, we get reminders from our managers that it's gross misconduct. I don't know why anyone would do it. Is it really worth ending your career to sell a story to the tabloids (or just because you're a nosy parker)?

RichardMarxisinnocent · 28/06/2026 17:45

godmum56 · 28/06/2026 16:06

Some clinicians (and I was one, a clinician, not a moaner!) will moan about anything. When manual handling equipment was brought in - and it was primarily done to prevent injury to staff - moaned that it "took too long" to use a hoist. Some hoists were actually over the bed that the patient was in, the others were stored at the end of the ward...say 20 extra steps each way

Oh I completely agree about the "moaning about anything". There are plenty of times when there have been complaints about too many clicks were we've had to tell them sorry but this particular click or confirmation is essential (usually for clinical safety reasons), but there are others where they had a point about it adding too much extra time, so we've changed the way the functionality works to make it less clunky.

For logging in, some sort of smart card which you tap onto a reader is probably the ideal and quickest way to log in, but it takes time to get all systems in a Trust able to be logged into like that, especially when there are many hundreds of other changes/improvements/new functions which we've been asked to add to the systems.

RichardMarxisinnocent · 28/06/2026 17:58

SerendipityJane · 28/06/2026 16:48

You could argue that, if you didn't know what was possible. Or didn't want to pay for it. Or were confused by the two. Or deliberately confusing the two for some reason or another.

Or you could just deliver something that did the job/

Depends where your priorities are.

I'm not confused by or deliberately confusing anything. I don't disagree that it may well be possible to deliver an ideal solution but that depends on having enough:
-money
-software developers
-software testers
-time
The NHS IT department I work in doesn't have enough of any of those things, and has an ever growing extremely long list of software developments we are being pushed to deliver, with priorities being changed on a regular basis (or often with far too many things being deemed highest priority). We'd love to deliver "something that just did the job" but it's not that easy.

Swipe left for the next trending thread