A tech firm linked to Google accessed 1.6 million NHS patient files ''with no legal basis'' in the UK.
Company DeepMind, owned by Alphabet, Google's parent, was allowed to use the data to test an app that alerted doctors if there was a risk of injury to patients' kidneys.
However, National Data Guardian Dame Fiona Caldicott and chair of the Oxford University Hospitals NHS Foundation Trust, said in a letter to the Royal Free Hospital in London, which helped with the app, that the legal consent of patients for sharing data should only be assumed if it was for their care, not to develop an app.
Dame Fiona's letter added: ''It is my view and that of my panel that the purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of this Streams application, and not for the provision of direct care to patients.
''My considered opinion therefore remains that it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose.''
The transfer of data is being investigated by The Information Commissioner's Office (ICO).
Meanwhile, Sky News claimed to have obtained a letter sent to professor Stephen Powis, medical director of the Royal Free Hospital in London, which provided the patients' records to Google DeepMind.
It revealed that the UK's most respected authority on the protection of NHS patients' data believed the legal basis for the transfer of information from Royal Free to DeepMind was "inappropriate".
According to commentators, the development raised fresh concerns about how the NHS handled patients' data after last week's cyberattack on hospitals and GP surgeries, which could have been prevented if staff had followed guidance issued a month earlier.
Strict legal protections were in place to ensure the confidentiality of patients' records under common law, and it was "implied" that patients had consented to sharing their information, if it was shared for the purpose of "direct care".