The Democratic presidential candidate Elizabeth Warren has joined a bipartisan group of US senators to express “serious concerns” over Project Nightingale, Google’s secretive acquisition of the health records of millions of Americans that was exposed last week by a whistleblower.

In a joint letter written by Warren, fellow Democrat Richard Blumenthal and Bill Cassidy, a Republican from Louisiana, the three senators demand that Google provides answers to a series of questions.

At the top of the list is “how such a vast amount of private, personal health data was surreptitiously collected, and how Google plans to use it”.

The existence of Project Nightingale was kept secret, with no patients or doctors being informed, until a whistleblower among the 300 staff working on the data transfer leaked documents to the media. By the time the scheme is completed next summer, the full personal details of more than 50 million patients – including names, addresses and medical histories – will have been transferred from Ascension, the second-largest health provider in the US, to Google.

The joint senators’ letter cites an article in the Guardian written by the anonymous whistleblower in which they say they were motivated to expose the project because patients were being withheld the ability to opt in or out of sharing their data with the search giant. “Patients and the public have a right to know what’s happening to their personal health information at every step along the way,” the individual said.

Documents leaked to the Guardian reveal the scale and ambition of Project Nightingale. They show that 126 Google employees working as part of the team known as “medical brain” that is developing artificial intelligence tools designed to predict disease patterns and search for new treatments were granted access to the health data by Ascension.

Access was approved, the documents show, for “discovery” purposes – though the precise nature of Google’s discovery plans remains unclear.

The documents also disclose that concerns about the security of the health data being handed to Google and whether it conformed to federal privacy standards were raised by Project Nightingale staff in group meetings. The whistleblower told the Guardian that those worries had not been answered by the tech giant at the time that they went public.

The data transfer has attracted federal attention. The US Department of Health and Human Services is looking into whether the scheme meets standards on privacy and data protection.

Google has insisted that all of its work with Ascension sticks to federal regulations “and come with strict guidance on data privacy, security and usage”. But that assurance has not satisfied the three US senators.

Warren and her colleagues note in their letter the Guardian’s report of Nightingale staff raising concerns about the secrecy and security of the project. “Health information and records of medical care are exceptionally sensitive,” they write, adding that when mishandled can “expose patients to embarrassment, discrimination, exploitation and other harms”.

Since news of the project broke, Google and Ascension have been carrying out an aggressive leak inquiry to flush out the whistleblower. All members of the Project Nightingale staff on both sides of the arrangement are being interviewed and computers scoured.