Two trusts have been found in breach of the Data Protection Act for losing and failing to secure information about patients.
A laptop carrying unencrypted data of some 5,000 patients, including health records, was stolen from Abertawe Bro Morgannwg University trust, in South Wales, in April.
The Information Commissioner's Office said it was believed the computer was stolen by an opportunistic thief from an unlocked office. The trust has signed an agreement with the commissioner to encrypt all data and improve security.
Tees, Esk and Wear Valleys foundation trust lost a memory stick containing unencrypted personal information about patients and staff. The stick was passed to the media, prompting the trust to carry out an investigation. The organisation has agreed to put in place encryption procedures and advise external contractors.
Assistant information commissioner Mick Gorrill said: "Even though one case involved the theft of a laptop, the data controller is responsible for ensuring any personal data is adequately protected.
"The Data Protection Act clearly states organisations must take appropriate measures to ensure personal information is kept secure."