And acting commissioner Brian Beamish says he wants to send a "strong message" to staff at all Ontario hospitals that such privacy breaches will be prosecuted.
The commissioner's office investigated allegations that hospital clerical staff sold information about new mothers to companies marketing registered education savings plans.
Beamish ordered Rouge Valley Health System to take steps to ensure it can track all instances where staff access patients' personal health information, and do random audits on all users' activities on all its electronic systems.
He also ordered the hospital to revise its privacy polices and give staff training in privacy issues.
Beamish says more needs to be done to address what appears to be a growing problem with privacy breaches in Ontario hospitals, so he wants the Ministry of Health and the attorney general to develop a procedure to prosecute offenders.
"Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector," Beamish said in a statement. "Whether it is done out of curiosity, or as in this case for financial gain, it is simply unacceptable."
Rouge Valley said it believes the former employees may have used and disclosed information on patients who gave birth at its hospital sites between July 9, 2009 and April 5, 2014, adding in a statement that it notified the Ontario Securities Commission, which regulates the sale of RESPs.