Deep concerns about how the NHS is handling personal information were raised last night after it emerged files relating to up to 137 Scottish patients had gone missing.

Copies of letters and memos containing medical details were stored on a USB memory stick by a health worker in NHS Lothian, in clear breach of data protection rules, and the device has been mislaid. The files contained sensitive medical details.

The health board has called in the police and the worker, who is going through disciplinary proceedings, could be sacked.

The incident comes less than two weeks after a disk containing information about almost a million 999 calls to the Scottish Ambulance Service, including phone numbers and names, was lost in transit.

David McLetchie, Scottish Conservative MSP for Edinburgh Pentlands, expressed grave concerns about the NHS Lothian loss and demanded urgent action to restore public confidence in the way sensitive files are handled.

Copies of letters and notes to GPs in central Edinburgh over two years were stored on the memory stick.

It is understood they reveal details of the medical history of people living in the area between June 2006 and June 2008.

The worker, said to be an experienced employee, alerted managers to the problem last Thursday and an investigation was launched the same day.

All the premises involved have been searched and NHS IT security experts worked throughout the weekend to identify the patients affected.

Attempts have been made to contact them by telephone and letter. They have been offered face to face meetings to discuss concerns and a helpline has been set up.

Peter Gabbitas, NHS Lothian's director of health and social care, apologised for the situation.

He also said: "It's important to remember that the staff member came to us of their own volition to advise us of this contravention of our policy. The staff member has been active in helping us minimise the impact on these patients.

"Any threat to patient confidentiality is very serious and management took action as soon as they were informed."

Mr McLetchie said: "It would appear in this case that there has been a clear disregard for the rules and protocols governing the handling of such information, as well as a flagrant breach of the Data Protection Act. This is unacceptable and we need to call a halt to the cavalier attitude to personal, confidential and sensitive information which is evident in the actions of certain public servants.

"In future, it should be made absolutely clear that where the security of such information is breached as a result of a blatant disregard for the rules, then heads will roll and this type of misconduct will merit dismissal, not just a mild slap across the wrist."

A spokesman for the Scottish Consumer Council said yesterday: "The use of a memory stick to store this kind of data means that personal health information has not been protected in the way it should have been, and the loss of the data further compounds the severity of the lapse of security.

"If the data was not protected in any way, for example by encryption, this makes it even worse. Cases like this risk losing the trust which the public has in the NHS."

There has been a succession of data security breaches related to the health service. Last spring, details of junior doctors were made public on an official UK website for handling medical job applications.

In May, Public Health Minister Shona Robison faced calls for her resignation after confidential health records were found to have been lying for months at the disused Strathmartine Hospital in Dundee.