A hospital trust is stepping up data security after three unencrypted USB sticks containing patients’ personal information were lost or stolen.

Ashford and St Peter’s Hospitals Trust reported the breach to the Information Commissioner’s Office and has promised to take steps to improve the storage and use of data.

The USB sticks were all unencrypted and included details about the full treatment and full diagnosis history of numerous cancer patients.

The details were easily accessible to any computer user as they were saved in a Word format.

Trust chief executive Andrew Liles has signed an undertaking that promises to implement changed policy to ensure safe storage of personal data.

The trust will ensure staff receive appropriate training and are aware of the hospital’s policy for the storage and use of personal data.

Mr Liles said: “We are extremely sorry that this incident happened, and have apologised to each of the 76 patients concerned. We take incidents of this severity extremely seriously indeed and each patient was individually contacted as soon as the data loss became clear earlier this year. We also wrote to each patient’s GP.”

ICO assistant commissioner Mick Gorrill said: “I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices.

“In this case, our investigation found that there was a lack of understanding and awareness among staff of their responsibilities under the Data Protection Act.

“Good data protection practice should be a matter of corporate governance and I am pleased the trust is implementing a number of changes to alert staff to data protection policies and procedures in the future.”