Up to 10,000 NHS patients may have been affected following a private health company's decision to store patient records on Google Drive.

As detailed in a leaked report obtained by the BBC, the Information Commissioner's Office (ICO)
revealed that Birmingham-based Diagnostic Health, which carries out ultrasound scans for the NHS, stored patient data unencrypted on Google's cloud-based file storage service between June 26 2013 and July 22 2013.

Staff at Diagnostic Health, which voluntarily suspended its services to co-operate with the ICO, shared a single password between staff members to access the files, according to the report.

No control

Other issues detailed include GP referrals being emailed directly to staff inboxes with no audit trail of who accessed the system and when, and staff were found to have no control over how to delete personal data from an ex consultant's laptop. Additionally, a company laptop was stolen from a staff member's home and had not been reported to the ICO.

The BBC attempted to obtain the report through Freedom of Information (FOI) requests in November 2013 and March 2014 after the ICO refused to provide access to the information on the grounds that the investigation was ongoing.

Diagnostic Health claims that it has completed an action plan agreed with the ICO following the investigation and has resumed providing patient services.