12/16/2014 10:48 EST | Updated 02/15/2015 05:59 EST

Rouge Valley Hospital Failed To Safeguard Patients' Privacy After Sale Of Personal Info, Says Commissioner

David Cooper via Getty Images
TORONTO, ON - AUGUST 27: Tanya Taylor, a mom who received a second letter from Rouge Valley hospital yesterday letting her know even more of her personal info may have been leaked by hospital staffers after she gave birth to Taylor Brown now three, at the Ajax-Pickering site in 2010. (David Cooper/Toronto Star via Getty Images)
TORONTO - Ontario's privacy commissioner says Rouge Valley hospital in Toronto failed to put reasonable safeguards in place to protect patients' privacy after the sale of the personal information of up to 14,000 new mothers.

And acting commissioner Brian Beamish says he wants to send a "strong message" to staff at all Ontario hospitals that such privacy breaches will be prosecuted.

The commissioner's office investigated allegations that hospital clerical staff sold information about new mothers to companies marketing registered education savings plans.

Beamish ordered Rouge Valley Health System to take steps to ensure it can track all instances where staff access patients' personal health information, and do random audits on all users' activities on all its electronic systems.

He also ordered the hospital to revise its privacy polices and give staff training in privacy issues.

Beamish says more needs to be done to address what appears to be a growing problem with privacy breaches in Ontario hospitals, so he wants the Ministry of Health and the attorney general to develop a procedure to prosecute offenders.

"Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector," Beamish said in a statement. "Whether it is done out of curiosity, or as in this case for financial gain, it is simply unacceptable."

Rouge Valley said it believes the former employees may have used and disclosed information on patients who gave birth at its hospital sites between July 9, 2009 and April 5, 2014, adding in a statement that it notified the Ontario Securities Commission, which regulates the sale of RESPs.