The Information Commissioner's Office (ICO) said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed.
Personal data belonging to patients and staff was taken from Brighton General Hospital in September 2010.
The trust said it could not afford to pay the fine and would appeal, the BBC reported.
Highly sensitive personal data belonging to tens of thousands of people, including some relating to HIV and Genito Urinary Medicine patients, was discovered on hard drives sold on eBay in October and November 2010.
The ICO said the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports.
It also included staff details including National Insurance numbers, home addresses and information referring to criminal convictions and suspected offences.
The data breach occurred when an individual working for the Trust's IT service provider, Sussex Health Informatics Service (HIS), was told to destroy approximately 1,000 hard drives at Brighton General Hospital.
A data recovery company bought four hard drives from a seller on eBay, who had purchased them from the individual.
The ICO's deputy commissioner David Smith said the fine reflected the gravity and scale of the data breach.
"It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said.
The trust's chief executive, Duncan Selbie, claimed no sensitive data had entered the public domain.
"We dispute the Information Commissioner's findings, especially that we were reckless, and a requirement for any fine," he said.
"It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine."