NHS England issues insider-access controls after staff 'snooping' on high-profile patients' records
NHS England issued guidance to all NHS organisations on 2026-07-08 on preventing, monitoring and investigating unauthorised staff access to patient records, alongside a "don't let curiosity kill your career" awareness campaign, after a run of insider incidents in which staff viewed the electronic records of victims of high-profile crimes — including the 2023 Nottingham attacks — with no legitimate clinical reason (NHS England, 2026-07-08). The guidance sets out that confirmed unlawful access may be reported to the Information Commissioner's Office and police, both of which can pursue criminal prosecution, and to professional regulators able to end a clinician's registration; Infosecurity Magazine reports the triggering cases included staff dismissed for accessing Nottingham-attack victims' records and roughly 40 staff at a Cambridgeshire hospital who accessed a seriously injured child's record (Infosecurity Magazine, 2026-07-10). This is the perennial healthcare insider-misuse problem — authorised users abusing legitimate credentials (not an external intrusion) — but the operational content is in the controls NHS England now presses: role-based access minimising sensitive-record visibility to those who need it, multi-factor authentication, and monitoring capable, on newer EPR systems, of flagging suspicious access in real time (NHS England, 2026-07-08).
Having the ability to view a record is not the same as having a legitimate need to do so.
some newer electronic patient record systems may be able to identify unlawful access in ‘real’ time, with the capability to set up alert ‘flags’ to identify suspicious activity.
Defender actions
- Scope EPR/EHR role-based access to ward/care-team assignment rather than facility-wide read, and require a documented business justification when a search widens beyond a staff member's assigned care team.
- Deploy audit-log analytics that join record-access events to the care-team/rostering system of record, flagging views with no matching clinical relationship, plus anomaly detection on per-staff access volume and break-glass overrides lacking post-hoc justification within a defined SLA.
- Enforce MFA on EPR access and run proactive periodic audit sampling rather than only reactive investigation after a high-profile case or media enquiry.
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Persistence TA0003
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Privilege Escalation TA0004
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Stealth TA0005
T1078Valid Accounts
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.