An NHS trust has been fined £325,000 by a data protection watchdog after highly sensitive files of tens of thousands of patients, including details of HIV treatment, ended up being sold on eBay.

Brighton and Sussex University Hospitals NHS Trust was fined because it failed to ensure hard drives containing the information were wiped after they were handed over to a contractor. The fine from the Information Commissioner's Office (ICO) is the highest ever issued.

The Trust's IT service provider, Sussex Health Informatics Service, was asked to destroy information on 1,000 hard drives in 2010. They were held in a room accessed by key code at Brighton General Hospital.

But they handed the job to an unnamed individual sub-contractor who did not wipe out the drives and took at least 252 out of the hospital. The majority found their way on to the internet in October and November 2010. The sub-contractor was arrested by police but no charges were brought over the incident, the trust said.

The personal data included details of patients' medical conditions, such as sexually transmitted diseases and treatment, disability living allowance forms and children's reports.

Duncan Selbie, chief executive of Brighton and Sussex University Hospitals, said: "We dispute the Information Commissioner's findings, especially that we were reckless, a requirement for any fine. We simply cannot afford to pay a £325,000 fine and are therefore appealing."