The information commissioner Christopher Graham has called for tougher penalties on NHS trusts and hospitals who lose patients’ personal medical records.
Mr Graham said fines of up to £500,000 could be imposed to counter what he called a “disturbing” culture in the health service.
It is believed that millions of records have been lost by health organisations in data breaches which include staff losing laptops, memory sticks and documents.
In an interview with the Independent Mr Graham said: “There’s just too much of this stuff going on.
“The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it.
“Health service workers look after their patients very carefully but don’t always look after their data very carefully.”
The commissioner has requested a meeting with the NHS chief executive Sir David Nicholson to discuss the problem.
“It’s a much wider problem and we do need some tougher penalties because the courts don’t seem to regard it as a terribly serious offence,” he added.
He made the comments as he revealed that five more health organisations had agreed to improve security following major data breaches - which can be prosecuted under section 55 of the Data Protection Act.
They include Ipswich Hospital Trust, which saw a staff member misplace 29 records, East Midlands Ambulance Service Trust, Lancashire Teaching Hospitals Foundation Trust and Basildon and Thurrock Trust.
The commissioner is also investigating how the North Central London Trust lost a laptop containing an estimated 8.3 million patient records.