An NHS Trust has been criticised for losing the medical records of 2,000 patients in Staffordshire.
NHS Stoke-on-Trent said in March they had lost or destroyed in error the records of physiotherapy patients at Haywood Hospital in 2006.
The Information Commissioner's Office (ICO) said the trust breached the Data Protection Act.
It has now agreed to put in place a number of security measures to better protect personal information.
A spokesman for the the ICO said: "NHS Stoke-on-Trent will also apply physical security measures in respect of paper medical records, particularly when they are in transit."
Hospital officials apologised to those affected at the time.
Mick Gorrill, head of enforcement at the ICO, said: "Everyone makes mistakes, but regrettably there are far too many within the NHS.
"Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information."