Royal Cornwall Hospitals NHS Trust has breached the Data Protection Act by disclosing personal data on two occasions, according to the Information Commissioner's Office (ICO).
The first breach happened in July 2010 when an individual received a response to a subject access request for information the Trust held about them. Instead of sending the requester information solely about them, the Trust disclosed someone else's information. A similar disclosure occurred in December 2010 when the same requester received a second subject access response containing third-party information.
Sally-Anne Poole, acting head of enforcement at the ICO, said: "More people today want to find out exactly what information their GP or hospital holds about them, making subject access requests an increasingly popular tool.
"However, just because staff are busy with requests does not mean they can stop doing adequate checks before information is sent out. I am pleased that Royal Cornwall NHS Hospital Trust has agreed to take the necessary steps to make sure this sort of incident doesn't happen again."
Peter Colclough, CEO of Royal Cornwall Hospitals NHS Trust, has signed an undertaking to ensure that procedures for dealing with subject access requests are clearly defined and managed, and that all staff receive appropriate training and support in how to follow them.