It was almost two years ago that whistleblowers exposed the failings of the privatised out-of-hours GP service run by Serco in Cornwall. Yesterday, finally, they were vindicated. The powerful parliamentary public accounts committee summoned Serco and the NHS body responsible for commissioning them, the Cornwall primary care trust, and gave them the roasting they deserved for a culture of "lying and cheating" and for "shocking" inadequacies in writing and monitoring the contract. The committee had asked the National Audit Office to report on the service after revelations in the Guardian. Members from all parties were excoriating in their judgment of Serco's behaviour and the inability of the trust to hold the company, which has £2.4bn of public-sector contracts in the UK, to account.

The bigger question, however, is whether NHS patients will be any better protected in future as more services are put out to tender. Serco's health business is growing rapidly – it has £300m worth of contracts in the sector. Other than a dent to its reputation, it has suffered no penalty. It has not been fined for lying and breaching its contract, nor has it lost the job. Its public-sector business just keeps getting bigger as its share price rises. If a private company behaved this way to another private company over a contract, it would find itself in court. Not so when rapacious corporates (the committee's description) do business with the public sector. A small sorry is enough.

Protection of the whistleblowers remains woefully inadequate. While Serco has been able to falsify with impunity, whistleblowers have, as the parliamentary accounts committee recorded, been subject to persecution.

In the Cornwall case neither Serco's company systems nor the trust's audits had managed to find the repeated shortages of staffing and falsifying of performance data that whistleblowers said had been putting patients at risk as far back as 2010. But then, as the committee's formidable chair, former Labour minister Margaret Hodge, said, they didn't seem to want to look in the right place.

To date, the only forensic audit of the data provided to the NHS by Serco remains one conducted by the company under pressure of a period of its own choosing – the first six months in 2012, when it knew it was already being investigated and would have been trying to clean up; the biggest fiddles, according to whistleblowers, took place in the two years before that. The trust, the Care Quality Commission and the NAO have all looked at Serco's audit but no one so far has looked at the earlier period. Are they to be allowed to get away with it? Hodge's frustration was palpable.

Staff, deeply concerned that the service was an accident waiting to happen, went first to their managers, then their unions and professional bodies, and to the commissioner – and got nowhere. They went to local Lib Dem MP Andrew George, who asked the company and the trust to investigate but was fobbed off. They went to the regulator, the CQC, but it said it had no jurisdiction until a rule change in 2012 that required out-of-hours services to register with it. The strategic health authority, responsible for the trust until both were abolished in the coalition's upheaval of NHS structures, told MPs it didn't really do monitoring of out-of-hours services, that was the trust's business, even if the trust was failing. Finally the whistleblowers came to the Guardian.

When, in 2012, the regulator did acquire the power to investigate and did so, it at last uncovered evidence of the falsification of data we had reported but did no forensic audit of its own. The fiddling of figures was no mere accountancy exercise, it covered up real risk and a real human cost: terminal cancer patients not receiving home visits in time; the occasion when only one GP was available to cover home visits for the whole county; patients queuing for hours for proper clinical assessment.

The contract between Serco and the local NHS commissioners remains, outrageously, confidential, and freedom of information requests to have it released have been refused, as they are routinely in other privatised deals with public services. In this climate of secrecy, how can private companies be held to account?

Serco has blamed two maverick managers who fiddled the data off their own bat even though they apparently had no financial incentive to do so , a position that Hodge dismissed as "not credible". The pair have now been paid off with confidentiality clauses in their agreements. Serco insists it had found no evidence that the instruction to falsify came from higher up but said the gagging clauses did not prevent the two coming forward to disclose material evidence. We can only hope that if they have taken the fall for a corporate culture of dishonesty, and have evidence that they were acting on orders, as the whistleblowers have consistently alleged but Serco denies, they will feel safe coming forward now they have heard its reassurances.

Twitter: @lawrencefelic