'Urgent' probe into patient data access after 40 staff opened files on boy attacked by crocodile

Health bosses are "urgently" investigating how to stop workers looking at patient data without proper reason after 40 staff accessed the records of a boy injured by a crocodile.

The three-year-old was taken to Addenbrooke's Hospital after ending up in the crocodile enclosure at a zoo near Huntingdon last week.

Dozens of staff accessed his files, potentially without legitimate reason, and Cambridge University Hospitals (CUH) yesterday referred itself to the Information Commissioner's Office (ICO).

The Department of Health and Social Care said on Friday it was also investigating.

"It is not acceptable for NHS staff to inappropriately access people's health records and we expect the trust to investigate this fully and take appropriate action," a spokesperson said.

"The NHS must always protect patients' data, and the Department is urgently looking into this issue to prevent this happening again."

CUH said on Thursday that staff could be sacked as there were "strict policies" to protect patient data.

"We know the vast majority of our 13,000 staff understand the fundamental importance of maintaining patient confidentiality and uphold the highest professional standards," a statement read.

"Where any member of staff is found to have accessed patient records without legitimate clinical or operational reasons we take robust disciplinary action, including dismissal.

"As part of our response to any breach, we notify both the ICO and apologise to patients and their families affected."

CUH warned staff about accessing records in a memo the day after the boy was injured.

Hospital management told workers that in recent months five people had been sacked for "inappropriately accessing patient records".

It is a criminal offence to unlawfully obtain or disclose personal data and can lead to dismissal and criminal prosecution.

Read more from Sky News:
Backlash over Tommy Robinson interview
Is home air conditioning needed?

The ICO said it was "assessing the information provided" by CUH, with a spokesperson adding: "People need to trust that their medical information is safe and only available to healthcare staff who need to use it.

"When medical records are accessed without a legitimate reason, this can be deeply concerning for patients and their families, especially when a child is involved.

"This is a wider issue across the health sector that we are supporting organisations to address. We are working closely with the National Data Guardian and NHS England, and we continue to remind all organisations about the importance of keeping patient data secure."

The boy was seriously hurt in the incident and it's understood he was attacked by at least one crocodile after allegedly being thrown into the enclosure.

A 30-year-old man was arrested on suspicion of attempted murder.

Police said he was "assessed as not being fit for interview" and had been released on bail until September.

(c) Sky News 2026: 'Urgent' probe into patient data access after 40 staff opened files on boy attacked by crocodile