Rouge Valley Hospital says two employees have admitted, following an internal investigation, to selling patient information.
The hospital says the employees had access to computer systems that log patient information.
“A printout, a list of names and phone numbers and addresses, were found on a printer, and that was given to management and we started investigating,” said spokesman David Brazeau.
Brazeau said the two workers are no longer employed by the hospital, which sent a letter to the affected patients to inform them of the breach.
But personal information about the apparent victims — all new mothers — is still out there.
It is not known who bought the data. But some of the affected patients say they are now getting phone calls from a company looking to sell Registered Education Savings Plans.
“It's one thing for someone to try to sell you an RESP but it's another thing for someone to have the first and last name and date of birth of your child,” said new mother Natasha Reid.
“You're going to the hospital to get help whatever your reason, to have a baby or you’re sick and you're not thinking that you're going to have your information in cyberspace.”
Ontario privacy commissioner Ann Cavoukian has launched an investigation, calling the incident “appalling” and a “completely egregious” breach of provincial law.
Police are also investigating, as is the Ontario Securities Commission. The OSC said a company could face major penalties if it is found to have bought personal information it knew to be stolen.