The data protection watchdog has criticised a health board in Scotland over two incidents in which patients’ medical records were lost.

NHS Lothian breached the Data Protection Act when an unencrypted USB memory stick containing details of 137 patients was lost last June, the Information Commissioner’s Office ruled.

The incident occurred because the data storage device belonged to an employee and should not have been used to store personal data held by NHS Lothian.

The ICO also came down on the board over another incident in June 2008 when a document wallet containing 25 paper files about patients was left in a shop.

It was found that employees failed to comply with NHS Lothian security requirements in both cases. The health board has said it is now taking steps to improve data protection security, including ensuring that portable and mobile devices such as memory sticks are encrypted.

Assistant information commissioner for Scotland Ken Macdonald said: “Personal information has a value. It is vital that people’s personal details are handled securely in line with the Data Protection Act.

“I am pleased that NHS Lothian is taking remedial action to improve data security.”