HEALTH chiefs in the Lothians have said they have taken action to protect patient data, after being criticised over two separate cases where medical records were lost.
The health board has been rapped by the Information Commissioner's Office (ICO), which investigated the incidents.
In one, a USB memory stick containing the personal information of 137 patients was lost by a community health worker last June.
The ICO said the memory stick belonged to an employee and should not have been used to store NHS Lothian data.
Also in June last year, a document wallet with 25 paper files about patients was left in a shop.
The ICO said in both cases the employees involved failed to comply with NHS Lothian security requirements.
The health board said it could not confirm if those involved were still working for NHS Lothian, owing to confidentiality, but said action had been taken.
Director of human resources and organisational development for NHS Lothian, Alan Boyter, said: "Any staff member who breaks our rules on the safe storage of patient information will face investigation under our disciplinary procedures."
Following the incidents, NHS Lothian launched a "data amnesty" as part of a new campaign to tighten the security of information.
The campaign included roadshows at hospitals, leaflets, posters in NHS Lothian buildings, features in the staff newspaper and a data amnesty, which took place in August 2008.
The amnesty allowed anyone who had inappropriately stored sensitive information to come forward and have it safely disposed of without being subject to disciplinary procedures.
NHS Lothian has also now agreed to ensure that portable and mobile devices, such as memory sticks, are encrypted, and to prevent unauthorised memory devices or computer systems being used to store patient data.
Mr Boyter added: "We alerted the Information Commissioner as soon as we became aware last year of a staff member who had broken the NHS Lothian policy on safe data storage, and have been happy to work with the commission.
"We take the preservation and protection of patient confidentiality as seriously as possible and immediately put into place a number of software solutions.
"These include a ban on the use of any memory sticks apart from special NHS sticks with in-built encryption, and new software on any laptops to prevent unauthorised people accessing them."
Assistant information commissioner for Scotland, Ken Macdonald, said: "I am pleased that NHS Lothian is taking remedial action to improve data security."
The ICO will audit the health board later this year.