Almost 2000 staff have had their personal details leaked after a Merseyside health care trust "accidentally" sent them out.
It is thought about 1800 people have been affected
Trade union Unite is calling for an urgent investigation into why Sefton Primary Care Trust sent staff details out to four medical organisations.
The blunder includes dates of birth, National Insurance numbers, salary and pension details for all staff.
The companies were bidding for services within the trust.
The chief executive of Sefton PCT Dr Leigh Griffin, has sent a letter to all staff apologising for the "accidental release of their personal data".
The PCT said about 1800 people are affected.
However the PCT said it would not reveal who the four organisations were due to "commercial confidentiality".
Union officials said medical staff were concerned they would be vulnerable to fraud.
They have asked all members to take precautions by examining their bank accounts, and changing their passwords.
Kevin Coyne, Unite national officer for health, said: "It is disgraceful that an organisation trusted to protect the highly personal and sensitive medical details of thousands of patients can expose their staff in such a dangerous way and then deny them the information of where the information has been illegally sent.
"This is a clear breach of the data protection law and if it was an accident, an inquiry must be launched into how and why such sensitive information was passed on to so many external organisations."