Brighton and Sussex University Hospitals NHS Trust is contesting a £375,000 fine from the Information Commissioner's Office (ICO) over the theft of hard drives containing patient data.
Some 232 out of 1,000 hard drives belonging to the trust were stolen while they were under the responsibility of a contractor for decommissioning, and sold on. Details of thousands of patients and staff were believed to have been put at risk.
The ICO has sent the trust a letter of intent to impose a £375,000 fine for the potential data breach.
However, the trust said it will challenge the fine as it was a "victim of a crime".
"We subcontracted the destruction of these hard drives to a registered contractor, who subsequently sold them on eBay.
"As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual. We are confident that there is a very low risk of any of the data from them having passed into the public domain," said Duncan Selbie, Brighton and Sussex University Hospitals chief executive.
Sussex Health Informatics Service, the contracting company, was responsible for disposing of the hard drives for the trust, and had appointed an individual to do the job.
According to The Argus, a 36-year-old man from Seaford was arrested on suspicion of theft and bailed a number of times, but the police has decided not to take the case on further.
In December 2010, a data recovery organisation bought four of the trust's hard drives on eBay.
It contacted the trust, which collected the hard drives and destroyed the information.
Brighton and Sussex University Hospitals has until 23 January to respond to the ICO's letter of intent, which the regulator will consider before making a final decision on whether it will issue a final penalty notice.
"The ICO is currently making enquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time," an ICO spokesperson said.