More than 100 hospital patients' records were left on an unencrypted CD at a bus stop in Wolverhampton, a data protection body has said.
The CD held charts of patient heart and lung scans and their identity details and was found in May at a bus stop near the city's New Cross Hospital.
Royal Wolverhampton Hospitals NHS Trust said the CD had been made off-site without its knowledge or permission.
Data security must improve, the Information Commissioner's Office said.
Both the trust and the commissioner have carried out investigations.
The trust said: "We do not have the scanner facilities to create these images and any CDs we produce are automatically encrypted.
"Therefore this is not a case of our trust losing information it has previously scanned."
The Information Commissioner's Office (ICO) said the trust had allowed charts to be released to consultants on request, but failed to chase them up for return for about a month.
It said there was no need to make the CD or to take it off site.
The ICO has agreed with the trust that patient records should be signed for on release and chased up for return after a week. It also recommended staff training in the handling of sensitive documents.
A spokesman for the trust said it took patient confidentiality very seriously.
"We will implement all recommendations over the coming weeks and these actions will be monitored by several directors here at the trust."