The Information Commissioner's Office (ICO) has found two more NHS organisations in breach of the Data Protection Act.
The chief executives of the NHS Stoke-on-Trent and Basingstoke and North Hampshire NHS Foundation Trust have both signed formal undertakings to improve data security.
The ICO said it remains "highly concerned" that data breaches involving personal information are continuing to occur in NHS organisations.
The NHS accounts for a quarter of all data breaches reported, the ICO said.
"Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information," said Mick Gorrill, head of enforcement at the ICO.
In the latest incidents, 2,000 paper physiotherapy records were lost because they were not filed in NHS Stoke-on-Trent's archive system, and at Basingstoke and North Hampshire NHS Trust, a spreadsheet, containing 917 patients' pathology results, was e-mailed via an unsecure address to another department.
The spreadsheet was not password protected and the receiving department had no business need to have access to the excessive amount of clinical records, the ICO said.