The Royal Wolverhampton Hospitals NHS Trust has been pulled up by the UK Information Commissioner's Office (ICO) for mishandling sensitive patient information.
A CD containing 112 patient files from the heart and lung division within its intensive care unit had been found at a bus stop near the hospital.
The ICO said that the CD was neither encrypted nor password protected.
Investigations by the Trust and the ICO failed to establish how the CD came to be made, however the ICO pointed to transactions between the hospital and third-party consultants as a weak link its information handling processes.
The ICO said the Trust failed to recall patient charts from consultants in a timely manner, and has demanded that consultants sign for patient charts when they receive it.
Mick Gorrill, Head of Enforcement at the ICO said that data was several years old.