A medical practice which lost the details of 8,000 patients, including their names and addresses, beached the Data Protection Act, says a watchdog.
The information was stored on a memory stick that was lost in the post between the surgery in Lampeter, Ceredigion, and an NHS business services centre.
The Information Commissioner's Office (ICO), the privacy watchdog, said the practice had breached the act.
Hywel Dda Health Board said action was being taken to address procedures.
The memory stick was reported lost in March after a member of staff at the surgery had, in contravention of practice policy, downloaded a database onto an unencrypted memory stick, which was not password protected either, said the ICO.
The memory stick was then posted by recorded delivery to the Health Boards' Business Service Centre, but it failed to arrive. It contained the details of some 8,000 patients, but there was no clinical information.
The ICO said it found the practice to be in breach of the Data Protection Act.
Sally-Anne Poole, ICO enforcement group manager, said: "It is unnecessarily risky to download 8,000 personal details on to a memory stick.
"It is imperative that staff are made fully aware of an organisation's policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft.
"I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again."
The ICO said Dr Rowena Mathew, the head of Lampeter Medical Practice, had agreed to take "remedial action by ensuring that sufficient steps are taken to ensure a security breach doesn't occur again".
The ICO added: "This includes ensuring all mobile devices including laptops and memory sticks are encrypted, ensuring physical security measures are sufficient and making staff fully aware of the organisation's data security policy."
The Hywel Dda Health Board said it had been working closely with Lampeter Medical Practice since the incident to ensure that "immediate corrective action was taken and to address practice procedures".
It added: "The health board has also reminded staff, including commissioners such as GP practices, pharmacists, dentists and opticians about the importance of patient data security and to reinforce the formal procedure for the safe transfer of patient data."
The medical practice apologised in March after it lost the patient details.