Hundreds of organisations have breached patient data-sharing agreements in the past seven years, an investigation by the BMJ has revealed. Despite these “high-risk” breaches, none of the organisations has had its access to patient data withdrawn.

Companies, clinical commissioning groups (CCG) and leading universities - with Imperial College London (ICL) and GlaxoSmithKline (GSK) among the offenders - were handling information outside of agreed data contracts and may still be failing to protect patient confidentiality, the journal said, based on the examination of NHS Digital audits.

In one case, clinical care commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When NHS Digital’s audit team tried to check Virgin Care’s compliance, the company denied access for several weeks and even refused to delete the patient data after the termination of the contract with the CCG.

“It is outrageous...