The Information Commissioner's Office (ICO) has found a third NHS trust in breach of the Data Protection Act within a month.
The latest enforcement action is against Brent Teaching Primary Care Trust over the theft of two laptops containing personal information about 389 patients.
The laptops were stored in a locked office, but were left out on a desk in breach of the trust's security procedures and were not encrypted.
Brent PCT has signed a formal undertaking to process personal information in line with the Data Protection Act.
Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust signed similar agreements in January.
The ICO has ordered a number of other organisations to sign undertakings following breaches of the Data Protection Act.
Organisations include the Home Office, Department of Health, Foreign and Commonwealth Office and Orange Personal Communications Services.
Mick Gorrill, assistant information commissioner, said the ICO was concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted.
"Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are processed securely," he said.
The Brent Teaching Primary Care Trust has undertaken to ensure staff are adequately trained and to encrypt all portable and mobile devices used to store and transmit personal information.
Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO, said Gorrill.