NHS staff are at risk of creating serious security breaches involving patient data owing to sharing smart cards, writing passwords on sticky notes and leaving highly sensitive notes out, an investigation has found.
The Care Quality Commission (CQC) report into the safety of patient data in the NHS also found examples where "bagged confidential paper waste (was) left unattended outside a building" and patient notes were left in staff belongings, on trains and in cafes.
Coded door locks were found to have passcodes that had never been changed, doors were "wedged open" so other people could pass through, and passcodes were written above door locks.
The report is published alongside a government-ordered review from Dame Fiona Caldicott, which recommends a new "opt out" system for patients to consent to how their data is used.
The CQC study included examples where inspectors saw or were told about risks to data, including:
:: "Paper notes being lost on and off site, for example in staff belongings, left on wards or when patients were transported"
:: "Bagged confidential paper waste left unattended outside a building"
:: "Paper records left visible for unauthorised people to see, for example on trolleys in corridors, on unattended receptionist desks, or on trains and in cafes where staff were working between appointments"
:: Emails and faxes sent to the wrong people
:: "Fax machines left unattended in public areas when highly sensitive notes were being transmitted"
The report also found examples where staff were leaving their smart cards - which enable them to access patient records electronically - for unauthorised agency staff to use.
There were also examples where smart cards were not withdrawn when a person left the NHS trust, "passwords were written on sticky notes above computer screens", smart cards were lost and staff were allowed "unfiltered" browsing on the internet, raising the risk of introducing malware into the system.
The report added: "Passwords (were) shared or re-used as passwords on social media sites, a risk potentially compounded if staff discuss their work responsibilities in detail on social media."
CQC inspectors said some of the risks were the result of good intentions - such as sharing smart cards with agency staff - but "many were the result of misjudgment".
Data showed there were 533 data security breaches officially reported in the NHS in the year to the end of May 2015.
The CQC said this was a small figure in the context of 6.5 billion data transactions (excluding paper transactions) across the whole NHS network.
But it said the quality of staff training on data security was "very varied" at all levels of staff and, although data security policies and procedures were in place at many sites, day-to-day practice "did not necessarily reflect them".
David Behan, chief executive of CQC, said "The ability of NHS organisations to access and share patient information is crucial to the delivery of safe, effective care. But without robust processes, there's a risk that information may be compromised, may not be accessible when it's needed, or may not be kept confidential.
"We worked with 60 NHS organisations for this review, and those which demonstrated good practice on data security shared common characteristics - senior leadership who took this issue seriously and demonstrated ownership and responsibility; staff who were provided with the right information, tools, training and support; and systems and protocols designed around the needs of frontline staff, reducing the need for them to develop shortcuts in order to deliver timely patient care.
"But too often, not all these elements were in place."
The CQC has set out six recommendations to enhance NHS data security that are in line with recommendations in the Caldicott review.