Over 200 NHS organisations have admitted to losing sensitive personal information in the past two years, according to the Information Commissioner's Office (ICO).
These data breaches account for nearly 30% of all data breaches reported to the ICO since HMRC lost 25 million child benefit records in November 2007.
Nearly a third (32%) of all breaches reported involved theft.
The ICO said it has investigated organisations, including several NHS bodies, that have failed to secure their premises and hardware adequately.
Mick Gorrill, assistant commissioner for investigations, said organisations, especially NHS bodies, should ensure the level of security is appropriate for the type of data they are holding.
The ICO has taken action against 54 organisations for the most reckless breaches in that time, said David Smith, deputy information commissioner.
"We expect the prospect of a significant fine [from 2010] for reckless or deliberate data breaches will focus minds at board level," he said.
UK organisations that break data protection rules could face fines of up to £500,000 under new ICO powers scheduled to come in to force from next year.
The new powers will give the ICO formal inspection powers across government.
The ICO will also increase its auditing role to ensure greater compliance with the Data Protection Act.