Diagnostic Health, a company that carries out ultrasound scans for the NHS, has been involved in a series of data protection breaches, potentially affecting up to 10,000 patients.
A leaked report from the Information Commissioner's Office (ICO), seen by the BBC, revealed that the Birmingham-based private company was storing patient data unencrypted.
The data, furthermore, was stored on Google Drive, the popular cloud-based file storage and synchronisation service, and Diagnostic Health staff shared a password to access those files.
The firm had been aware that it was breaching data protection guidelines by 26 June 2013, but continued adding to its database until 22 July, the leaked report said. The ICO audit also revealed that a company laptop stolen from a member of staff's home had not been initially reported to the ICO.
Other issues included GP referrals being emailed directly to staff in-boxes, no record of who accessed the system and when, and the failure of the company to delete personal data from an ex-consultant's laptop.
Daniel Ray, the data controller at University Hospital Birmingham, said that the situation was "extremely sad", adding that he would be shocked if patient records were stored on Google Drive as the there was a specific system, called N3, that is supposed to be used to handle confidential patient information.
"That is not how NHS patient records should be handled," he told the BBC.
Diagnostic Health had voluntarily suspended services, and claims that it has now completed an action plan agreed with the ICO. It plans to resume services for Clinical Commissioning Groups.