Dr Minh Alexander retired consultant psychiatrist 9 April 2026
Paul Lipscombe former Associate Director of Performance and Informatics at University Hospitals of Coventry and Warwickshire NHS Trust (UHCW) was sentenced in November 2025 at Leicester Crown Court to over 28 years imprisonment for very serious sexual crimes against children, some violent.
He committed these crimes whilst employed by UHCW.
I examined the transcript of the sentencing proceedings and also requested FOIA data from the trust to better understand the trust’s governance of these matters.
Some troubling questions arose, such as why the trust delayed in reporting his arrest to the Care Quality Commission (CQC). There also appeared to be little attempt at organisational learning in response to his crimes:
Did the NHS learn anything from Paul Lipscombe’s crimes? UHCW, CQC and Fit and Proper Persons
Of note, UHCW explicitly claimed to me via FOIA that there was no evidence that Lipscombe had used trust systems in the furtherance of his crimes.
Since then, an NHS IT whistleblower has contacted the magazine Computer Weekly, well known for its long running work in exposing the Post Office Horizon computer scandal.
The NHS IT whistleblower told Computer Weekly that there are gaps in NHS IT governance which allow NHS analysts like Lipscombe to untraceably search for patient’s personal data, such as addresses. It seems therefore quite possible that Lipscombe could have used trust IT systems to identify and/or triangulate and locate his victims:
Child rapist could have profiled victims through unaudited access to NHS databases
Of concern, UHCW reportedly failed to respond to Computer Weekly when asked for comment.
I have raised my concerns about trust governance with the CQC and also passed on the additional whistleblower intelligence as reported by Computer Weekly.
CQC says it has reviewed the matters at its FPPR (CQC Regulation 5 Fit and Proper Persons) committee and that it will raise these issues with the trust.
The FPPR process is unlikely to amount to any concrete action based on past history but at least there will be a degree of scrutiny, and it will be useful to see how the trust responds on the issue of IT traceability.
I have also asked UHCW directly via FOIA for a formal response about the issue of untraceable analyst access to patients’ personal data.
I have put it to the CQC that this unauditable activity appears to be a systemic safety issue that NHS system regulators should jointly address, and not just an issue for UHCW.
I note that NHS England gave a late and deflective response to Computer Weekly, which failed to address the issue of unaudited analyst access:
“An NHS England spokesperson said: “A patient’s full medical record can only be seen by healthcare professionals directly involved in their care and there are strict controls and safeguards on how anyone else can access confidential patient information.
[my emphasis]
The insertion of the words “full medical record” adds another lawerly dimension of wriggle room.
These evasions by NHS England only serve to increase concern.
But NHSE does usefully also add:
“All trusts are required to meet the standards set out in the Data Security and Protection Toolkit, which include maintaining audit logs of access to information and putting in place controls to identify unauthorised access.”
Alexander's Excavations 