The Student Loans Company has been criticised by the Information Commissioner's Office (ICO) for a series of data breaches relating to customer records.
After being alerted by the Student Loans Company that personal information about customers had been sent to the wrong people, an investigation was launched by the ICO.
Sensitive data accidentally sent to a number of third parties included medical details and psychological assessments, the ICO said.
The investigation revealed that not enough checks were put in place before documents were scanned and added to customer accounts, and more sensitive documents received even fewer checks.
"For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies," said ICO Head of Enforcement, Stephen Eckersley.
"Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.
"Our investigation showed that wasn't happening. We've spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place."
The Student Loans Company has now signed an undertaking committing to improving checks before correspondence is sent out, as well as making staff more aware of its data protection policy.
"These data breaches took place in 2012 and we apologise to the three customers whose medical details were disclosed to the wrong recipients," a spokesperson for the company said in an email statement.
"When we realised our mistake, we immediately contacted the person or organisation the information had been sent to, to apologise for our mistake and to make sure the details were deleted. We also reported the breaches to the Information Commissioner's Office and will continue to keep them updated.
"SLC takes our responsibilities seriously to protect customer data under the Data Protection Act. We have put in place additional quality checks and are confident these will prevent this from happening again. We are also investing significantly in new technology and systems to improve our service to customers."
"Our investigations found that these data breaches were caused by human error when we were manually assessing the eligibility of students applying for Disabled Students' Allowance (DSA). Those customers whose details were disclosed were advised of this.
Student Loans Company CEO, Mike Laverty, recently spoke to ComputerworldUK about the £50 million IT investment it has made to improve services, following criticism from MPs.