Private health firms, including Bupa, could pay £140 to identify potentially millions of patients and then access their health records, detailing intimate medical histories, under a new national arrangement in the NHS, the Guardian can reveal.

The records, which include sensitive information about hospital visits, such as a mother's history of still births, patients' psychiatric treatment and critical care stays, allow individuals to be identified by use of postcode, gender and age as well as their socioeconomic status.

On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures.

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.

On the information centre's website, the Data Access Advisory Group says it "considers applications for sensitive or identifiable data". Once they have been approved, organisations have to apply to extract identifiable NHS data.

The prime minister has argued that companies such as Britain's key life sciences firms should be able to benefit from the NHS's vast collection of patient data. But critics argue that this amounts to putting the NHS "up for sale".

Campaigners say the health service is aping commercial practice – pointing out that only last week the country's largest mobile phone operator announced it was selling the internet habits of its 27m customers.

Phil Booth, coordinator at patient pressure group medConfidential, said: "People are rightly concerned when details of their mobile use or online habits are sold on; now we learn that the NHS is selling masses of highly sensitive medical information to private companies. Like millions of other patients, I'm certain I never gave my consent for that."

The Guardian has established that private companies are already attempting to access patient records which can identify individuals.

In July a private research firm Civil Eyes was granted access to sensitive "consultant code" data. However, in the same month Dr Foster, which produces a guide to good hospitals, was refused permission to obtain patient mental-health data which included date of birth, gender, marital status and NHS number.

Labour called for the practice to be "suspended immediately pending a full investigation". Shadow health secretary Andy Burnham said: "Patients will be appalled to learn that the government appears to be auctioning off their personal information to the highest bidder.

"We warned David Cameron 18 months ago that greater safeguards were needed on the use of data in the NHS. He failed to provide them and, in his drive to commercialise the NHS, he has allowed this unacceptable situation to arise. Ministers need to tell us whether they knew about this practice and whether it was given their approval".

The HSCIC said that it "only provides identifiable data when there is a lawful basis to do so, eg, with patient consent. The data we provide is normally anonymised. We do charge a fee to cover administrative costs of operating an extract/data linkage request. We are committed to ensuring information about our services are presented in a transparent and accessible way and will continue to develop our website to ensure further clarity in this area."

Dr Katrina Herren, medical director of Bupa Health Funding UK, said: "Bupa uses NHS clinical data to support the NHS with services like population health management, and also for benchmarking purposes.

"The government publishes very clear rules on how we can use the data, and we adhere to the highest standards of information governance when handling confidential information."

• This article was amended on 21 May 2013 to restore a sentence, lost during the editing process, which made clear that once organisations have been approved, they must apply to see identifiable data. The headline was also amended to reflect this.