The personal details of 8,000 people have been lost on an unencrypted memory stick by Lampeter Medical Practice.
The Information Commissioner's Office found the practice, which is in Wales, in breach of the Data Protection Act after a member of staff downloaded patient details to an unencrypted and non password protected memory stick.
The memory stick was then posted by recorded delivery to the Health Board's Business Service Centre but did not arrive.
Lampeter Medical Practice, has agreed to take steps such as encrypt all mobile devices, secure premises and make sure staff understands the security policy.
Sally-anne Poole, enforcement group manager at the ICO, said it is unnecessarily risky to download 8,000 personal details on to a memory stick.
"It is imperative that staff are fully aware of an organisation's policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft."