The CD was discovered at a bus stop near the hospital. It had no password protection. Neither the trust nor the ICO was able to say why or how the CD was made.
The Royal Wolverhampton Hospitals NHS trust has signed a formal undertaking to tighten security procedures governing the copying of patient records.
The ICO's head of enforcement, Mick Gorrill, said: "The fact that this information was several years old is of no consequence. Patients' personal data should always be handled in accordance with the Data Protection Act (DPA). I am pleased the trust has agreed to take remedial steps to ensure such an incident does not happen again."
Investigations by the trust and the ICO showed there were weaknesses in the trust's data protection procedures. This included a lack of timeliness in recalling patients' charts released to consultants.
This story was first published by Computer Weekly