The Information Commissioner's Office has slapped a Welsh Health Board with a £70,000 fine, after a doctor's email blunder resulted in a patient's detailed psychiatric report being sent to another patient with a similar surname.
It is the first time the ICO has issued a fine to an NHS organisation.
The doctor had emailed a letter to his secretary for formatting, but used two different spellings of the patient's name, which caused it to be sent to the wrong recipient.
The ICO said an investigation into the incident found worrying practices taking place at the Health Board that could be repeated in the future and justifying its use of a fine in this instance.
"Further investigations revealed that neither the consultant nor the secretary involved in this incident had received any data protection training from the data controller, and that practices such as had led to this incident were quite widely used by clinical and secretarial staff within the organisation," it said.
"The Commissioner considers the contravention of the [Data Protection Act] serious and that the imposition of a monetary penalty is appropriate. Further that a money penalty in the sum of £70,000 is reasonable and proportionate given the facts of the case."
The fine is the first levied against the NHS despite numerous incidents within the sector, including eight million records being lost on a laptop, and the head of the ICO, Christopher Graham, slamming the data handling record of the NHS in the past.
The ICO has issued a fine of £375,000 against the Brighton and Sussex University Hospitals NHS Trust over the theft of a hard drive that contained sensitive information but the Trust is currently changing the penalty.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff