William - stock.adobe.com
Child rapist could have profiled victims through unaudited access to NHS databases
NHS analyst’s conviction for child sexual abuse offences raises concerns over unaudited access to patient data
A former NHS analyst and convicted child rapist could have profiled his victims through NHS database queries that were unaudited.
Paul Lipscombe, from Rothley, Leicestershire, who was 51 at the time he was jailed for 28 years in November 2025, worked at University Hospitals Coventry and Warwickshire NHS Trust as an analyst when he committed multiple sexual offences against girls.
Leicestershire Police, which investigated Lipscombe, said he targeted victims between 12 and 15, via the Snapchat social media app.
An NHS whistleblower with knowledge of the systems told Computer Weekly that in his analyst role, Lipscombe would have also been able to collect the personal details of victims through unaudited SQL database searches.
While the NHS Trust said it “undertook a records check in relation to Paul Lipscombe’s patient access”, which identified no concerns, the whistleblower revealed concerns among staff that access to patient information for analysts at many NHS trusts is untraceable.
Typical hospitals will have up to 20 analysts who run legitimate queries against databases, mainly using SQL, as part of their jobs. They have access to data that sits behind the digital systems in hospitals to produce reports for internal use and for government. Most patient contact that is recorded on a digital system will be accessible by analysts through databases. This includes personal data.
In contrast, access to the Patient Administration System (PAS), which is used by many staff, is audited, and its use is traceable. “In many NHS hospitals, every time a staff member opens a patient’s record on the PAS, their access to the record is logged and auditable,” said the whistleblower. “But analysts who work directly with the underlying databases, often in SQL Server, can retrieve the same personal patient details without creating an auditable record of who accessed what.”
Accountability gap
This creates a gap in accountability. “If an analyst wanted to misuse demographic information such as addresses or phone numbers, in many NHS trusts there would be little or no audit trail to detect it,” added the source. “The NHS should require all trusts to log database queries by analysts and retain those records for several years so that access to sensitive data can always be traced.”
Analysts have to sign data protection guarantees to ensure data is not shared or leaked, but the lack of traceability of what database searches were carried out and by whom is a serious loophole in NHS security which could leave patients vulnerable.
Computer Weekly asked NHS England and Lipscombe’s former employer, University Hospitals Coventry and Warwickshire NHS Trust, why analyst searches are not audited at many trusts and what plans are in place to change this. Neither organisation responded to the question.
NHS England had not responded to Computer Weekly’s questions when this article was published.
Following Lipscombe’s arrest in April 2024, University Hospitals Coventry and Warwickshire NHS Trust immediately suspended him, before dismissing him from his role in June 2024.
The trust said it supported Leicestershire Police with its investigations and carried out its own internal review. In a statement in November 2025, it said: “Nothing has been identified at this stage to indicate this individual’s criminal activity was committed as part of their role.”
Read more about NHS IT challenges
- NHS digital and security leaders call on their suppliers to commit to a cyber security charter as the health service works to improve its resilience.
- NHS patient data was left vulnerable by a flaw in an application programming interface used at online healthcare provider Medefer.
- Clinicians warn that the NHS England Outcome Registries Platform has poor security and is vulnerable to cyber attack, putting critical patient data at risk of being exposed.
