The Belfast Trust could be fined up to £500,000 after thousands of cancer patients' notes were left abandoned at Belvoir Park Hospital in south Belfast.
The Irish News reported sensitive medical documents were removed from the site, some of which were later put up for sale on the internet.
It is also claimed the intruders took photos of x-rays and equipment.
The Office of the Information Commission has launched an investigation.
Ken MacDonald, assistant information commissioner for Northern Ireland, said the trust could be fined for failing to properly dispose of the documents.
"There are various options that we have. The strongest option is serving of a monetary penalty which can be up to £500,000," he said.
"I have to say though this depends on the actual date this was discovered by the trust and what they did after it, because that power only came into effect in April last year.
"If we find they are not eligible for a monetary penalty then it is possible we could serve an enforcement notice, which would require them to take certain action in the event of vacating another premises."
The Irish News obtained a serious adverse incident report from the trust which confirmed there had been a breakdown in communication.
In a statement the Belfast Trust reassured the patients whose details were stolen, that they are not at risk.
It read: "Since the break-in we have increased security and secured files.
"These are old pictures brought to the trust's attention two-and-a-half years ago after a break in and patients and their families should not be concerned."
Irish News editor Noel Doran said the hospital had been locked up but it was not properly secured.
"Intruders were able to gain access to the building quite easily, it would appear, not only to rummage through the files but quite astonishingly the electricity was left on and they were able to access the x-ray machines.
"The final alarming twist in this whole debacle was after the report was completed the authorities failed to notify the information commissioner, who overseas breaches of the data protection act."
Mr MacDonald said he was "surprised" by the trust's decision not to inform the Information Commission about the alleged security lapse.
He ordered a full investigation after reading newspaper reports on Monday and said he was "disturbed" by the incident.
"I know people will be appalled. I'd hate to be in that position myself. This is one of the worst incidents that could happen," he added.
The Belfast Trust said the Information Commissioner was not informed about the actions of the intruders as "no sensitive data was lost".
It added: "We have however now informed the Commissioner of the need to destroy a small number of damaged images which had not been kept for the legal requirement of eight years.
"The details have been added to patients files."
Belvoir Park Hospital opened over 100 years ago and includes several listed buildings.
It used to be Northern Ireland's main cancer treatment centre until services were transferred to a new £60m facility in Belfast City Hospital four years ago.