The Information Commissioner's Office has warned NHS trusts to take much more assertive steps to protect patient records.
The warning comes as ICO found five health organisations had seriously breached the Data Protection Act. Electronic patient records are being rolled out across the country, both within and outside the troubled £11.7 billion NHS National Programme for IT.
A recent Public Accounts Committee hearing into the programme saw officials at the Department of Health disclose that 800,000 clinicians are able to log in to the patient records systems within the National Programme alone - although the officials also gave a detailed defence of the security in place. The ICO is working with Connecting for Health, which is in charge of the NHS National Programme, to help guide trusts on security.
Five NHS trusts have been issued with ICO undertakings, all of which the data protection body said "relate to incidents where they failed to take appropriate steps to ensure that sensitive personal information was kept secure".
Among the undertakings, East Midlands Ambulance Service NHS Trust lost an unencrypted memory stick containing sensitive personal data relating to a number of patients. Additionally, Dunelm Medical Practice in Durham sent out two patients' electronic discharge letters, containing sensitive personal data, including medical information.
Procedures around paper records were also brought to light by ICO, after Basildon and Thurrock University Hospitals NHS Foundation Trust sent out a fax with personal patient data to the wrong recipient, Ipswich Hospital NHS Trust left 29 patient records in a public place, and Lancashire Teaching Hospitals NHS Foundation Trust faxed sensitive personal data to a member of the public on several occasions.
"The health service holds some of the most sensitive personal information of any sector in the UK," said Information Commissioner Christopher Graham. "Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs."
He said there needed to be a "culture change" and added: "The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number."