The loss of sensitive data on a USB stick by a hospital in Scotland could be a pivotal case for the Information Commissioner's Office (ICO), says security firm Credant Technologies.
The ICO is keen to use its new powers to enforce data protection in the UK, David Smith, deputy information commissioner, told Infosecurity Europe 2010 in London.
Since 6 April, the ICO has been able to impose fines of up to £500,000 for serious data breaches where there is potential harm to individuals.
The loss of sensitive data by a hospital unit in Scotland that cares for adults with severe mental health problems could qualify, said Sean Glynn, product manager at Credant Technologies.
A member of staff at the Tryst Park unit at Bellsdyke Hospital has been suspended after a USB stick containing the criminal histories of patients and details of staff was found in a car park in Stenhousemuir, according to the BBC.
The incident is the latest in a long list of data losses by the NHS, highlighted by Smith in his keynote at Infosecurity Europe.
He said the NHS was responsible for the most data losses by a single group in the past two years, accounting for about a third of all breaches reported.
The continued loss of data by the NHS highlights the urgent need for encryption of payroll, human resources and medical records of all types, said Glynn.
As the UK's various health entities migrate their patient records over to electronic systems, the argument for the highest level of encryption is even stronger, he said.
"If the NHS doesn't move quickly to fix its grass roots security processes, these data leaks will carry on happening," said Glynn.
The ICO should push for the NHS to appoint someone to oversee data security issues at all levels, he said.