Millions of patients' NHS data has been sold to private companies over the last decade, according to an internal review by the NHS information centre (NHS IC).
The NHS IC, which has since been replaced by HSCIC, reviewed data handling and concluded that the NHS had made "significant lapses" in recording the release of the data.
The ‘Data Release Review' led by HSCIC's non-executive director, Sir Nick Partridge, found that much of the data released by the NHS was to universities and the Department of Health for research purposes.
However, between 2005 and 2012, 588 data releases were made to 178 private-sector organisations excluding charities, for the purpose of "analytics, benchmarking and research", according to NHS IC.
The organisations included technology companies, healthcare consultancies, insurance firms and pharmaceutical giants AstraZeneca and GlaxoSmithKline.
Partridge claimed that the HSCIC should "learn the lessons from the loosely recorded processes of its predecessor organisation".
"The public simply will not tolerate vagueness about medical records that may be intensely private to them. We exist to guard their data and we have to earn their trust by demonstrating scrupulous care with which we handle their personal information," he said.
The review claimed that "in some cases the decision-making process was unclear and records of decisions incomplete; when handling medical records this is unacceptable".
Phil Booth, from privacy campaigners MedConfidential, told Computing that while Partridge had made some sensible recommendations, he would like to see more details.
He suggested that it must have been the case that someone within the HSCIC or NHS IC knew that they were in a mess – or that no one was aware of what was going on.
"I'm not sure which is more terrifying," he exclaimed.
The review has suggested several changes in order to ensure controls over data are tightened and that there is more transparency given to the general public over data use.
Booth suggested that the NHS had to be more transparent than sending out quarterly reports with data shown on a "massively complicated" spreadsheet.
"The end-to-end audit [of where data has gone] has to be fed back to patients, patients need to know who has their data and what they're doing with it," he said.
He suggested that NHS England's care.data programme – which has already suffered several delays because of privacy concerns – should be shelved until all of the recommendations have been put into place and are evidently working.
"They propose to use huge amounts of GP data, when they are still sending things into black holes and failing to comply with basic procedures," he stated.
The data does not divulge patients' names, but in some cases it may have been possible to identify who the data referred to.
Booth urged the NHS to call for patient data that has unnecessarily been shared with private firms to be deleted, and questioned the way that the HSCIC has approached the review, suggesting that there should be repercussions.
"It is not sufficient; you can't just wipe the slate clean. This is like a million records, it's one of the largest [data breaches that has been uncovered] in NHS history so there has to be consequences," he said.