Two primary care trusts have been rapped for data security breakdowns, bringing the total number of NHS organisations in trouble over such lapses to three already this month.

Last week, NHS Great Yarmouth and Waveney and NHS Gloucestershire both signed formal undertakings with the Information Commissioner’s Office to improve security measures around personal data.

Patient data should have been held on a local server rather than on the hard drives of the stolen computers

The ICO has ruled that both PCTs were in breach of the Data Protection Act.

Two desktop computers, containing data relating to more than 1,000 occupational health patients and staff members, were stolen from NHS Great Yarmouth and Waveney.

“The data was held on these computers rather than on a network server, and was in easily accessible form without password protection,” the ICO said.

Meanwhile, six desktop computers, containing personal data relating to 2,270 patients, were taken from a locked office at NHS Gloucestershire.

“The computers were used by medical secretaries for preparing letters and notes relating to diagnosis and referral of patients. This patient data should have been held on a local server rather than on the hard drives of the stolen computers,” the ICO said.

Earlier this month, Maidstone and Tunbridge Wells Trust made a similar pledge to the commissioner, saying it would ensure any personal data held on laptops or other removable media would be encrypted within six months.

It follows the theft of an unencrypted laptop computer in July and three encrypted laptops in August.