The Information Commissioner's Office (ICO) is considering hitting a hospital with its heaviest fine to date following the theft of unencrypted hard drives from the Brighton and Sussex General in September 2010.
According to the Argus newspaper, 232 hard drives were stolen, out of 1,000 that were to be decommissioned.
The hard drives were stolen by a contractor, and some of them subsequently turned up for sale on auction site eBay.
The BBC has reported that the Information Commissioner was considering levying £375,000 on the hospital.
The hospital has said it will challenge the proposed penalty.
This move follows the ICO's commitment earlier this month to focus its data protection work on the health and criminal justice sectors.
The ICO was granted the power to issue fines of up to £500,000 for breaches of the Data Protection Act in April 2010, but the penalties had been relatively minor until recently.
This appears to be changing though; just four weeks ago, it issued a fine to Powys County Council of £130,000 – its biggest fine to date – for failing to protect the personal data of vulnerable young people.