A confidential document with details of 19 patients – the majority of them elderly and many living alone – was found on open ground near Caithness General Hospital.
The information included patients who are to have Covid-19 checks and also details of a cancer patient.
NHS Highland has launched a major investigation into the data protection breach in Wick. It is the third breach in the past year.
Chief executive Paul Hawkins said: “NHS Highland has directly contacted all the patients affected by this data breach to apologise unreservedly.
“We have reported the incident to the Information Commissioner and are holding an investigation into this matter.”
The person who discovered the document, who does not wish to be named, said: “It holds highly personal data for 19 patients, talking about their health conditions, including cancer, their mental state and others needing Covid tests.
I would feel quite distressed if I learned a member of the public had picked up sensitive information about myself out of the gutter.”
“Worryingly it gives their ages, and most of them are elderly. It states the care they are receiving and whether or not they are living on their own.
“Presuming these patients might be in Caithness General, then it goes without saying their homes are likely to be empty.
“If this document fell into criminal hands it could be devastating.”
The man discovered the “folded document” near the hospital’s staff accommodation while walking in the area on Friday at around 8pm.
He said: “When I realised what it was I was horrified, it was really quite distressing. These patients should feel secure that their medical information is safe.
“This is not acceptable and some of the details is harrowing.
“I would feel quite distressed if I learned a member of the public had picked up sensitive information about myself out of the gutter.”
The document has been handed back to NHS Highland.
The health authority’s data protection officer Donald Peterkin has reported the incident to the Information Commissioner’s Office (ICO).
An ICO spokeswoman said: “People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
“NHS Highlands has made us aware of an incident and we will assess the information provided.”
Last year a data blunder identified dozens of people with HIV across the region to others with the illness.
It occurred after an email was distributed by NHS Highland’s sexual health department to invite patients to a support group at Raigmore Hospital.
But it failed to conceal the personal details of patients, revealing these to fellow recipients of the email.
And in June this year, a man described his shock at finding a bag containing Covid-19 samples lying in the middle of a main road in the Highlands.