A prominent Tory MP on the powerful health select committee has questioned how the entire NHS hospital patient database for England was handed over to management consultants who uploaded it to Google servers based outside the UK.

Sarah Wollaston, who practised as a family doctor and is now a Conservative backbencher, tweeted: "So HES [hospital episode statistics] data uploaded to 'google's immense army of servers', who consented to that?"

The patient information had been obtained by PA Consulting, which claimed to have secured the "entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E".

The data set was so large it took up 27 DVDs and took a couple of weeks to upload. The management consultants said: "Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds."

The revelations alarmed campaigners and privacy experts, who queried how Google maps could have been used unless some location data had been provided in the patient information files.

The issue of which organisations have acquired medical records has been at the centre of political debate in the past few weeks, following reports that actuaries, pharmaceutical firms, government departments and private health providers had either attempted or obtained patient data.

Patient groups have questioned what safeguards are in place to protect privacy and have called for full disclosure of which organisations have acquired medical records since 2010.

Stephen Dorrell, Tory chairman of the health select committee, has already said he will write to the health secretary, Jeremy Hunt, to request that such information is released.

Last month, NHS England announced it would delay by six months the rollout of its flagship care.data scheme linking GP records and hospital data, amid criticism of how it has run the public information campaign about the project.

The extracted information will contain a person's NHS number, date of birth, postcode, ethnicity and gender. Once live, organisations such as university research departments – but also insurers and drug companies – will be able to apply to the new Health and Social Care Information Centre (HSCIC) to gain access to the care.data database.

However, campaigners said it would be a folly to continue with the project, which envisages firms paying to extract patient information that would be scrubbed of some personal identifiers but not enough to make the information completely anonymous – a process known as "pseudonymisation".

Phil Booth of medConfidential, which campaigns on medical privacy, said every day another instance of "whole population level data being sold emerges which had been previously denied".

He added: "There is no way for the public to tell that this data has left the HSCIC. The government and NHS England must now come completely clean. Anything less than full disclosure would be a complete betrayal of trust."

Both PA Consulting and HSCIC have yet to respond.

• This footnote was added on 4 March 2014. PA Consulting and HSCIC later issued statements which can be found here and here.