The Information Commissioner's Office has fined abortion provider the British Pregnancy Service £200,000 after a hacker who infiltrated the charity's site in 2012 threatened to publish the details of 10,000 people who had consulted it for advice.
BPAS has called the fine "out of proportion", and has already stated it will appeal against the decision.
The organisation statesd that it "didn't realise" that its website stored names, addresses, phone numbers and dates of birth of people who contacted it for further information on unplanned pregnancy.
David Smith, deputy commissioner and director of data protection at the ICO, said that "ignorance is no excuse".
"Data protection is critical and getting it right requires vigilance," said Smith in a statement.
"The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.
"Ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
The BPAS hacker - a 29 year old software engineer named James Jeffery - was sentenced in April 2012 to 32 months in jail.
At the time of the breach, BPAS said that no personal or medical details had been stolen, but a subsequent ICO investigation revealed this was not the case, leading to BPAS' defence of ignorance.
Data was not stored securely on the BPAS site, and was easily accessible by Jeffery due to a simple code exploit. The ICO also found that BPAS was keeping user details on record for five years longer than legally necessary.