The hospitals involved have accepted that the breaches involved information classed as personal data under the Data Protection Act (DPA) and have said that they will change the way they deal with data in the future.
The Royal Free Hampstead NHS Trust lost a CD containing the details of medical treatment received by 20,000 cardiology patients. The disc was unencrypted.
A handover sheet for a ward belonging to the Surrey and Sussex NHS Trust was found on a bus. It contained details of the care of 23 patients. That Trust also had two laptop computers stolen which were unencrypted.
Hampshire Partnership NHS Trust lost a computer containing the details of 349 patients and 258 staff, while Chelsea and Westminster Hospital Foundation Trust lost a memory stick containing the sensitive medical information of 143 patients. The stick was neither encrypted nor password protected.
Epsom and St Helier University Hospital NHS Foundation was also censured for storing hospital records insecurely for nearly two years.
“These five cases serve as a reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security," said the ICO's head of enforcement and investigations, Sally-anne Poole. "It is important that staff adhere to policies designed to protect individuals’ sensitive information."
“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands," she said.
The DPA orders that organisations take 'appropriate measures' to make sure that personal data is protected.
The NHS bodies have all signed formal undertakings promising to improve their practices. If they break the terms of the undertakings they could face enforcement action by the ICO.