The Royal Cornwall Hospitals NHS Trust breached the Data Protection Act by disclosing third-party personal data on two occasions, according to the Information Commissioner's Office (ICO).
The ICO said that the first breach happened in July 2010 when an individual received another person's information following a subject access request for information held about them.
Also in December 2010, the same requester made a second subject access response that again contained third party information.
Acting head of enforcement at the ICO, Sally-Anne Poole, said: “More and more people today want to find out exactly what information their GP or hospital holds about them, making subject access requests an increasingly popular tool.
“However, just because staff are busy with requests, this does not mean they can stop doing adequate checks before information is sent out. I am pleased that Royal Cornwall Hospitals NHS Trust has agreed to take the necessary steps to make sure this sort of incident doesn't happen again.”
Peter Colclough, chief executive of Royal Cornwall Hospitals NHS Trust, has signed an undertaking to ensure that procedures for dealing with subject access requests are clearly defined and managed and that all staff receive appropriate training and support in how to follow them.