Recent reports of alleged inappropriate access to patient records within NHS organisations have once again highlighted the importance of strong information governance, data protection and organisational culture.

An HSJ investigation reported that North West Ambulance Service (NWAS) is investigating concerns that staff may have inappropriately accessed records relating to victims of the 2024 Southport attack. While the investigation remains ongoing, the case raises broader questions about how organisations monitor access to sensitive information and respond when concerns arise.

Protecting Confidential Information

Healthcare organisations hold some of the most sensitive personal data available. Patients trust that their information will only be accessed for legitimate clinical or operational reasons.

Maintaining this trust requires robust governance arrangements that ensure organisations:

  • Clearly define acceptable use of information systems.
  • Monitor access to sensitive records.
  • Investigate potential breaches promptly.
  • Apply disciplinary processes consistently.
  • Learn from incidents and strengthen controls.

Failures in these areas can impact not only those directly affected but also public confidence in healthcare services.

Governance and Culture Matter

Effective information governance extends beyond policies and procedures. Organisations must foster a culture where confidentiality is understood, valued and actively protected.

This relies on:

  • Regular training and awareness.
  • Clear leadership expectations.
  • Effective supervision and accountability.
  • Consistent enforcement of policies.
  • Safe reporting mechanisms for concerns.

A strong culture can be one of the most effective safeguards against inappropriate access to information.

Transparency Builds Trust

When incidents occur, how an organisation responds can be just as important as the incident itself. Transparency, accountability and timely communication help maintain public confidence while investigations are undertaken.

Healthcare organisations must balance legal and regulatory obligations with stakeholder expectations and the need to demonstrate openness.

Learning from Incidents

As healthcare services continue to expand their use of digital systems and electronic patient records, effective oversight becomes increasingly important.

Boards and leadership teams should regularly consider:

  • Are information governance controls operating effectively?
  • Is access to sensitive information adequately monitored?
  • Are potential breaches identified and investigated quickly?
  • Does organisational culture support ethical behaviour and accountability?

Internal audit and assurance reviews can help identify weaknesses before they result in significant harm.

How TIAA Can Help

TIAA supports healthcare, public sector and not-for-profit organisations in strengthening governance, risk management and assurance arrangements.

Through internal audit and advisory services, we help organisations assess information governance frameworks, data protection controls and organisational culture, providing independent assurance that sensitive information is being effectively protected.

Looking Ahead

The issues highlighted by the ongoing NWAS investigation serve as a reminder that protecting patient information requires more than technology alone. Strong governance, clear accountability and a culture that prioritises integrity remain essential to maintaining trust and confidence in healthcare services.

Source: HSJ Intelligence, July 2026.