"I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts."
Supposing a leak happened. What makes you think you'll be able to tie it down to a single company? The data could be leaked anonymously, and the risk of such a leak becomes higher the longer this care.data scheme carries on for.
Because the same data set isn't being given to loads of different companies, it is a unique process. The whole concept is you apply for specific data for a reason, get vetted and then receive the data.
At the scale we are talking about here the differences between both fields and individual records is going to be so great as to identify almost any leak.
You apply for specific data for a reason, but the whole point of releasing the data in the first place is to do statistical analysis on it, and to do any statistical analysis worth talking about you're going to need large data sets, that are bound to overlap with other data requests.
Let's think of a hypothetical situation. Companies that develop drugs to help people deal with mental illness are likely to want to research what mental illnesses are most prevalent so they know where the greatest ROI for R&D is going to be. To do this they're going to be exploring the data set, pulling patient data for people with mental illnesses of various kinds. However, there isn't just one company developing such drugs, and what seems like a good use of the data to one company is likely to seem like a good idea to another. Now imagine there's a leak of every bipolar person in the UK. Who would have access to such data? There's likely to be multiple interested parties.
Supposing a leak happened. What makes you think you'll be able to tie it down to a single company? The data could be leaked anonymously, and the risk of such a leak becomes higher the longer this care.data scheme carries on for.