The Information Commissioner's Office (ICO) has attacked the NHS for lapses in data security after the discovery of major data breaches at two health trusts that put patient information at risk.

The Stoke-on-Trent Trust lost or destroyed the records of 2,000 patients, while the Basingstoke and North Hampshire NHS Foundation Trust breached the Data Protection Act by emailing an unsecured spreadsheet of information to another department.

Mick Gorrill, head of enforcement at the ICO, maintained that NHS departments are still making far too many mistakes, and that more needs to be done to ensure that data is kept secure.

"Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law," he said.

The chief executives of the Stoke-on-Trent (PDF) and Basingstoke (PDF) trusts have signed orders detailing the new measures they will introduce, including using encrypted devices and educating staff about the importance of data protection.

It was revealed earlier this year that the NHS is responsible for 250 of the 1,000 data breaches reported to the ICO.

The data watchdog confirmed last week that it has no intention of lobbying the government to introduce measures that would make it mandatory for organisations to report data losses.