Sensitive personal details were mistakenly sent out in the post by York City Council, breaching data protection laws, an inquiry has found.
The council has been criticised by the Information Commissioner's Office (ICO) for the mix-up.
It happened when the personal documents were left by a printer and accidentally included in a bundle of papers posted to an unrelated third party.
The council has now introduced new security measures.
The ICO said the case highlighted a lack of quality control, personal responsibility and management supervision.
Acting head of enforcement, Sally-Anne Poole, said: "This case highlights the need for employees to take responsibility and ownership of tasks that involve handling personal data.
"If the documents had not been left unattended by the printer and had been carefully checked before they were sent out then this situation could easily have been avoided.
"We are pleased that the City of York Council has introduced new security measures governing the use of its printers and that staff will now be required to carry out appropriate quality control checks to avoid information being incorrectly disclosed in this manner."
Kersten England, the council's chief executive, has signed an undertaking that new procedures will be introduced to prevent a repeat of the situation within four months.