An NHS trust has been fined £325,000 by a data protection watchdog after highly sensitive files of tens of thousands of patients, including details of HIV treatment, ended up being sold on eBay.

Brighton and Sussex University Hospitals NHS Trust was given the penalty because it failed to ensure hard drives containing the information were wiped after they were handed over to a contractor.

The fine from the Information Commissioner's Office (ICO) is the highest issued by the watchdog since it was granted the power in April 2010.

The Trust's IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy information on around 1,000 hard drives in September and October 2010 that were held in a room accessed by key code at Brighton General Hospital.

But they handed the job over to an unnamed individual sub contractor who did not wipe the drives and he took at least 252 out of the hospital and 232 of them found their way on to the internet in October and November 2010.

He was arrested by police but no charges were brought over the incident, the trust said.

The highly sensitive personal data included details of patients' medical conditions, such as sexually transmitted diseases and treatment, disability living allowance forms and children's reports.

It also included documents containing staff details like National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

Today the trust said it disputed the ICO'S finding and said it would appeal.

It said it had recovered all the disks and no information had got into the public domain and it could not afford the fine.