London Health Programmes (LHP), a medical research organisation based at the NHS North Central London health authority, has lost a laptop containing unencrypted details of 8.63 million people.
The data on the laptop does not include names, but patients could be identified from postcodes and details such as gender, age and ethnic origin, according to The Sun.
Even though the laptop, along with 19 others, went missing three weeks ago, the incident has just been reported to police and it is still unknown whether the laptops have been stolen or simply mislaid.
Data encryption essential
Chris McIntosh, chief executive of ViaSat UK (formerly Stonewood), says regardless of whether theft was involved, the key point is that the data was not encrypted.
An ICO spokesperson said: "Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach."
The ICO has found several organisations in breach of the Data Protection Act for failing to encrypt sensitive personal information and imposed monetary penalties in the most serious of cases.
The most recent case at the end of May involved the Sheffield-based charity Asperger's Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project. Both charities lost laptops containing unencrypted sensitive information relating to young people.
"When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn't just careless: it's sheer negligence," said McIntosh.
With the data on such a machine valued at tens of thousands of pounds, spending a little extra on security should be a no-brainer, he says.
"London Health Programmes cannot claim it was ignorant of the dangers of unencrypted machines and the risks of a loss. There has been a huge focus on IT security recently, as incidents such as the Sony hac put ordinary consumers at risk," said McIntosh.
Nick Lowe, regional director Northern Europe at data security firm Check Point, says the scale of this potential data loss shows how essential it is to have mandatory, strong encryption on all sensitive, personal data on laptops and portable storage devices, even if those devices are stored in supposedly secure areas within buildings.
"But according to our December 2010 survey, less than half of all UK firms encrypt their laptops - and that figure has not really changed in the past three years - so data security is still being mostly left to chance," he said.