A trust has signed an agreement to tighten up its data protection procedures after more than 100 copies of patient records were found on a CD left at a bus stop.

Royal Wolverhampton Hospitals Trust was found to have breached the Data Protection Act by the Information Commissioner, after the unencrypted scans of patient records, which were not password-protected, were found at a bus stop in Wolverhampton.

Following an investigation, the commissioner said a CD containing 112 scans of patient charts from the intensive care unit of the trust’s heart and lung unit, was passed to a local newspaper by someone who said they found it at a bus stop.

An internal investigation carried out by the trust could not establish how the CD was made.

Separate investigations by both the commissioner and the trust revealed weaknesses in the trust’s data protection procedures. For example, the patient charts were released to consultants who wanted to see them, but were not chased for return for around one month later.

The trust has now agreed to sign an undertaking to the Information Commissioner that it will implement extra security measures to protect data, including ensuring that patient charts given to consultants are signed for on receipt and chased for return after one week.

In a statement, Royal Wolverhampton Hospitals Trust said: “We will implement all recommendations over the coming weeks and these actions will be monitored by several directors here at the trust.”