The data was encrypted but the password was attached
A health trust did not take adequate steps to prevent the loss of a memory stick with data on 6,360 prisoners and ex-prisoners, a report has said.
The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December.
A report found that human error was to blame, but that procedures on data security had not been adhered to.
NHS Central Lancashire said it had taken action and reminded staff of their responsibilities.
The data lost was encrypted but the password had been written on a note which was attached when it was misplaced. The USB stick has not been found.
Prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times and review dates were all included in the information.
An "immediate and urgent" review of data policies was undertaken to ensure consistency regarding the use of USBs after the incident, the trust said.
All data sticks across the PCT were recalled and staff were reminded how to handle personal and sensitive information of patients and employees.
The report into the information security breach was reviewed by the Information Commissioner's Office.
It said it welcomed the remedial steps taken by NHS Central Lancashire following the data breach.
Chief executive Joe Rafferty said: "There was a failure in the system which led to this incident happening and we have taken steps to make sure this doesn't happen again.
"We are pleased that the Information Commissioner's Office has recognised the swift action taken by NHS Central Lancashire following the information security breach and that, as a result, at present no formal action will be taken."