Royal Wolverhampton Hospitals NHS Trust lost a CD containing the unencrypted records of 112 patients from the intensive care unit of New Cross Hospital's heart and lung unit, the Information Commissioner's Office (ICO) has found.
The CD was discovered at a bus stop near the hospital. It had no password protection. Neither the trust nor the ICO was able to say why or how the CD was made.
The Royal Wolverhampton Hospitals NHS trust has signed a formal undertaking to tighten security procedures governing the copying of patient records.
The ICO's head of enforcement, Mick Gorrill, said: "The fact that this information was several years old is of no consequence. Patients' personal data should always be handled in accordance with the Data Protection Act (DPA). I am pleased the trust has agreed to take remedial steps to ensure such an incident does not happen again."
Investigations by the trust and the ICO showed there were weaknesses in the trust's data protection procedures. This included a lack of timeliness in recalling patients' charts released to consultants.
Read more on IT legislation and regulation
DeepMind Health must be transparent to gain public trust, review finds
Royal Free and Google DeepMind data sharing not compliant with DPA, ICO rules
NHS trust’s data sharing deal with Google firm is illegal, finds ICO
Google DeepMind patient data-sharing based on inappropriate legal grounds, says Caldicott