A Scottish health board that lost a USB flash drive containing sensitive patient information has been given a severe ticking off by the Information Commissioner’s Office (ICO).

In May, a 12 year-old boy was reported to have found the stick containing details of the personal histories of mental patients at the Bellesdyke hospital in Larbert, near Stirling, while visiting a nearby supermarket

Further investigation revealed that the patient records had been put on to the privately-owned stick by a member of staff, who used no password or encryption security to lock its contents.

NHS Forth Valley, which is responsible for the hospital, will now have to sign an undertaking to use only authorised drives for staff data transport, all of which must from 31 December 2010 employ encryption.

"All staff members should be fully aware of the policies and procedures in place to safeguard personal information to stop it falling into the wrong hands. I am pleased the organisation is taking remedial steps to ensure such an incident does not happen again," said Scotland’s assistant commissioner at the ICO, Ken Macdonald.

The naming and shaming warning is clear – another incident and the NHS Forth Valley will face a fine.

“It is simply unworkable to try and prevent staff from downloading information on portable devices like USB memory sticks,” said Anders Pettersson, CSO at Swedish company BlockMaster Security, which has had success selling encrypted drives to the UK's NHS in the last year.

“A secure USB solution would have provided the NHS Trust with full confidence that data is secure at all times and that it has not been tampered with, providing full accountability on all user actions.”

Part of the UK’s feared Information Commissioner’s Office, the case was handled by Scotland’s regional branch.