Child rapist could have profiled victims through NHS data access

A former NHS analyst and convicted child rapist could have used unaudited database queries to profile the victims he was grooming, according to a whistleblower.

Paul Lipscombe was sentenced to 28 years in prison in November 2025 for committing multiple sexual offences against girls, whilst he worked as an analyst at University Hospitals Coventry and Warwickshire NHS Trust.

Leicestershire Police said that Lipscombe targeted victims aged between 12 and 15-years-old via the Snapchat social media app.

An NHS whistle blower with knowledge of the systems told Computer Weekly that Lipscombe’s analyst role could potentially have allowed him to access the personal details of the victims he was grooming through unaudited Structured Query Language (SQL) database searches.

Most hospitals have up to 20 analysts who run legitimate queries against databases, mainly using SQL, as part of their jobs and have access to data that sits behind the digital systems in hospitals to produce reports for internal use and for government.

Unlike use of the patient administration system (PAS) which is audited, access to patient information for analysts at many NHS trusts is untraceable.

The whistleblower said: “In many NHS hospitals, every time a staff member opens a patient’s record on the PAS, their access to the record is logged and auditable.

“But analysts who work directly with the underlying databases, often in SQL server, can retrieve the same personal patient details without creating an auditable record of who accessed what.”

It was not suggested that Lipscombe found his victims through the health records.

In response, a spokesperson for NHS England said: “A patient’s full medical record can only be seen by healthcare professionals directly involved in their care and there are strict controls and safeguards on how anyone else can access confidential patient information.

“All trusts are required to meet the standards set out in the Data Security and Protection Toolkit (DSPT), which include maintaining audit logs of access to information and putting in place controls to identify unauthorised access.”

Commenting on the case, cyber security expert Saif Abed, founding partner and director at The AbedGraham Group, told Digital Health News that it is important for  NHS organisations to “take a far more proactive approach to auditing their people and processes when it comes to both cyber-resiliency and data privacy“.

“Treating the DSPT as a checkbox exercise is not enough. Cyber security needs to be directly linked to board level responsibilities,” he added.

A statement from University Hospitals Coventry and Warwickshire NHS Trust, published on 11 November 2025, said: “We would like to praise the girls and their families, as well as Leicestershire Police, for their bravery and courage in bringing Paul Lipscombe to justice for his horrendous crimes.

“Following Lipscombe’s arrest in April 2024, we immediately suspended him before dismissing him from his administrative, non-patient facing role in June 2024.

“The trust has and will continue to support Leicestershire Police with its investigations and has carried out its own internal review – nothing has been identified at this stage to indicate this individual’s criminal activity was committed as part of their role.”