The statement of claim, filed this week in the Ontario Superior Court of Justice, alleges the information from Rouge Valley Health System was then used to target the families for the sale of registered education savings plans.
The lawsuit is seeking damages of upwards of $300 million for the breaches that are alleged to have happened between 2009 and 2013.
The two employees — who the hospital has said no longer work there — are alleged to have been paid in exchange for the information of more than 8,300 patients, most of them new mothers who gave birth and their families.
The allegations have not been proven in court.
Rouge Valley did not respond to a request for comment Wednesday, but the hospital's CEO released a statement earlier this month saying it is treating the situation with "extreme gravity" and "greatly regrets that this breach occurred."
Rouge Valley launched an internal investigation after it discovered the breaches in September 2013 and sent letters to affected patients. It has since tightened its information security controls, Rik Ganderton wrote.
"This is a breach of patients' privacy, hospital policy and most importantly compromises the TRUST patients place in us as health-care providers," Ganderton wrote. "We have strengthened procedures for logging and monitoring access to patient contact information. We continue to say sorry to all of our patients who have been impacted by this breach."
One of the two lead plaintiffs in the proposed class action alleges she started getting aggressive sales calls the day her son was released from the hospital and the salesperson refused to identify herself. The phone number the salesperson was using was not one that could receive incoming calls, it's alleged.
The hospital has not divulged the identities of the now-former employees, the lawsuit alleges.
Also on HuffPost