The Scottish NHS has admitted to the loss of medical histories for 137 patients that were stored on a memory stick, in contravention of data protection rules.

The admission comes just days after the Scottish parliament published a report recommending the devolved government should be more proactive, ensuring compliance with security standards.

Police have been called in to investigate the loss of data concerning copies of letters from June 2006 to June 2008 between family doctors and NHS Lothian, held on a USB device by an NHS worker who could face the sack.

Health and social services director Peter Grabbitas said the NHS had set up a special investigation team to identify and support the patients affected and issued a formal apology to the those involved.

The community worker concerned owned up to the loss and the Information Commissioner has been informed.

It is the latest in a series of data losses in Scotland, including a disc containing details of 894,629 calls made to the Scottish Ambulance Service lost by a courier. The data, including telephone numbers and the addresses of incidents, was said to be "heavily encrypted".

The latest loss has been condemned by the Scottish Tories.

Spokeswoman Mary Scanlon said: "The cornerstone of our NHS is patient confidentiality. They must be confident in the services they receive and also that their records are not shown to others.

"The revelations that thousands of medical records have been lost or stolen is poor and sloppy management by the NHS."

Scottish finance secretary John Swinney claimed the security review showed " public bodies across Scotland have high standards of data handling" though there could be no complacency and there were improvements to be made.

The review said the government could do more to monitor compliance and carry out "health checks". It should specify standards for information security, risk management and data sharing but ensure policies and procedures do not impede legitimate data sharing. It also called for "further measures", especially tighter oversight.

The NHS in Scotland is managed entirely separately to that in England and Wales, with responsibility devolved to Edinburgh. It is not part of the long-delayed multibillion-pound NHS National Programme for IT.

Meanwhile, the Scottish Liberal Democrats published a "dossier" the party compiled on data losses in Scotland, which it claimed shows that councils and health boards across the country are failing to keep personal information safe.

It claimed to show that secret crime reports have gone missing, entire servers have been stolen from schools and the authorities have failed to keep USB sticks, laptops and BlackBerrys secure. Spokesman Jeremy Purvis said: "They are failing to keep personal information safe."