Confidential information belonging to tens of thousands of patients and staff were at risk of being exposed after computer hard drives were stolen and put up for sale on eBay.
The hard drives were taken from computers in a locked store at Brighton General Hospital where they were being decommissioned.
Brighton and Sussex University Hospitals NHS Trust now faces a £375,000 fine from the Information Commissioner’s Office (ICO) for a breach of the data protection act.
The trust says it will be contesting the fine.
A 36-year-old man from Seaford was arrested on suspicion of theft and bailed several times but the Crown Prosecution Service decided to take no further action.
The trust has been served with a notice of intent to fine by the ICO and has until January 23 to respond before a final decision is made.
The incident relates to the theft of 232 drives out of 1,000 being decommissioned.
The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.
In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.
The buyer contacted the trust and the drives were collected with the information destroyed.
An investigation revealed that 232 hard drives in total had been stolen and sold on.
The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.
The trust says there was a very low risk of any of the data being passed into the public domain.
But the ICO accused the trust of failing to take appropriate technical and organisational measures against the accidental loss of personal data.
It said this was “likely to cause substantial distress to data subjects whose personal and highly sensitive personal data has been taken by an individual who had not right to see that information.”
Trust chief executive Duncan Selbie said: “This was a crime and we co-operated fully throughout."