Martin Campbell may have accessed about 29 NHS patients' details, the ICO said. The patients received medical treatment for injuries at Prestwich and Moorgate Primary Care walk in centres in Bury, the ICO said.
Campbell was provided with the information by his former girlfriend Dawn Makin who worked as a nurse at the centres, according to the ICO statement.
Campbell used the information to contact the injured patients to invite them to make personal injury claims, the ICO statement said. Campbell is a former employee of Direct Assist, a Bury-based personal injuries company, the ICO said.
Under the UK Data Protection Act it is a criminal offence to knowingly or recklessly obtain personal information without consent.
Bury Magistrates Court ordered Campbell to pay a £1,050 fine, £1,160 towards prosecution costs and a £15 victims' surcharge, the ICO said.
“People’s medical information is some of their most sensitive data and they rightly expect health workers only to access it when there is a legitimate business need," Information Commissioner, Christopher Graham, said in an ICO statement (3-page / 30KB PDF).
"Abusing this trust for personal gain is clearly wrong and potentially very distressing for those affected," Graham said.
“Martin Campbell would have known that obtaining the information was unlawful and yet he put his greed ahead of peoples’ privacy rights. [This] prosecution should help to serve as a deterrent to those who attempt to illegally obtain and pass on people’s information," the Information Commissioner said.
The Bury Primary Care Trust launched an investigation when it received complaints from patients, the ICO said. The patients had been encouraged to make personal injury claims by a man who had contacted them about their injuries, it said.
The Trust reported the findings of its investigations to the ICO after discovering that Makin had accessed the patients' files without a legitimate reason, the ICO statement said.
"The ICO will always pursue prosecutions where individuals breach both their duty of confidentiality and the Data Protection Act," the Information Commissioner, Christopher Graham, said.
"Those whose responsibilities include the custodianship of sensitive personal data should take note,” Graham said.
The ICO did not pursue a case against Makin after deciding it was not in the public interest.