Health trusts must take greater care with data after losses which included patients' information being left on a bus, the Information Commissioner's Office (ICO) said.

The ICO found five NHS organisations had breached the Data Protection Act and warned health bodies about the importance of making information secure.

Information about 23 patients was on the Surrey and Sussex NHS Trust ward handover sheet which was found on a bus.

The same trust also reported the theft of two laptop computers which were kept behind three locked doors but were not encrypted.

The Royal Free Hampstead NHS Trust reported the loss of an unencrypted compact disk which was initially thought to contain medical treatment details of 20,000 patients from the hospital's cardiology department.

The Trust later said it could not be precise about the information contained on the disk.

Chelsea and Westminster Hospital Foundation Trust reported the theft of an unencrypted memory stick containing details of 143 patients, including sensitive medical information.

It said the memory stick, which was not password protected, was stolen from an unlocked office that was being used as a walk-in clinic.

An employee had been taking it home for use on his personal computer.

Epsom and St Helier University Hospital NHS Foundation Trust was found to be have stored hospital records insecurely for nearly two years after data was being transferred between hospitals.

Hampshire Partnership NHS Trust told the ICO about the theft of an unencrypted laptop computer holding the personal data of 349 patients and 258 staff while an employee attended a health conference.

Sally-Anne Poole, head of enforcement and investigations at the ICO, said: "These five cases serve as a reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security.

"It is important that staff adhere to policies designed to protect individuals' sensitive information.

"Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them.

"Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands.

"The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal data is kept secure. These five organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action."

A spokesman for the ICO said some of the information which went missing was classified as sensitive personal data as defined in Section 2 of the Act.

The NHS bodies involved have agreed to implement the appropriate security measures to ensure that personal details are properly protected.

Measures will include locking doors and training staff on the policy for data storage.

Laptops, mobile and portable devices held by The Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital NHS Foundation Trust and Hampshire Partnership Trust will be password protected and encrypted.

Trusts which do not take improvement measures can face action by the ICO.