Blackpool Teaching Hospitals NHS Foundation Trust has been fined £185,000 for publishing details of thousands of staff online.
The Information Commissioner's Office has fined the trust after it posted the private details of more than 6,50 members of staff on its website in March 2014.
This included their National Insurance number, date of birth, religious beliefs and sexual orientation.
A statement from the ICO said the trust failed to notice the mistake for 10 months and then took a further five months to alert affected staff.
Stephen Eckersley, head of enforcement, said: “his trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.
“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief.”
The information was volunteered by staff as part of Blackpool’s commitment to publish annual equality and diversity metrics on its website.
But the trust failed to notice that the published spreadsheets also contained hidden data that became visible by double-clicking the table.
Eckersley added: “there was a need for robust measures to safeguard against this kind of disclosure. I can see no good reason for that not happening and that is why we have taken action.”