Health firm Bupa has been fined £175,000 after an employee was able to access thousands of patients' files to sell on the dark web.
Data watchdog the Information Commissioner's Office (ICO) said Bupa did not have effective security in place to stop the employee, who extracted personal information from 547,000 customers.
The employee was able to access the information through the company's customer relationship management system called SWAN, which holds records for around 1.5m people.
Read more: Equifax gets maximum fine for data breach
He then sent bulk data reports, including the names, date of birth, email addresses and nationalities of customers, to his personal email account.
After that, he put the information for sale on the dark web, an encrypted part of the internet which hosts markets commonly used for criminal activity.
"Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it," said ICO director of investigations Steve Eckersley.
"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."
A spokesperson for Bupa said the company had accepted the decision by the ICO and cooperated fully with its investigation.
"We take our responsibility for protecting customer information very seriously," they added. "We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks."