A Toronto court has handed down one of the most severe punishments faced by an Ontario health care worker in connection with massive privacy breaches that saw new mothers’ information passed to financial companies.

Esther Cruz, a former maternity ward nurse at Rouge Valley and Scarborough Hospitals, and Nellie Acar, a former broker with Global RESP Corporation, pleaded guilty Tuesday to criminal charges stemming from a scheme to peddle Registered Education Savings Plans (RESPs) to new parents.

Cruz and Acar were both sentenced in Ontario Court of Justice in Scarborough to three months’ house arrest, part of six-month conditional sentences, as well as two years’ probation and 340 hours of community service.

Reached by phone, Acar expressed remorse for her actions.

“I’m so sorry about what I did, and I really regret what I did because it’s hurt my heart and also our family. It’s not easy,” she said.

Attempts to reach Cruz’s lawyer for comment were unsuccessful.

Michael Crystal, a lawyer representing victims in a $412-million class-action lawsuit over the breaches, called the sentences “major.

“We have this notion of invasion of privacy as a reason for a civil suit,” he said, but this sentence “changes the equation.”

“This is certainly an indication that what happened here was very, very grave and requires the most significant and substantial penalty that the criminal court can impose, and that is incarceration,” he said.

“For those people who have their privacy violated in hospitals, it is a red-letter day,” he said.

Rouge Valley Health System contacted 14,450 mothers to inform them their records may have been stolen from its hospitals between 2009 and 2013. The sentences come two years after the breach was discovered.

“It’s really sad that they had to do something like that to so many families. And I’m pretty sure it’s affecting their family as well,” said Tanya Taylor, a mom whose records were breached when she gave birth to her daughter five years ago at a Rouge Valley hospital.

She called the sentence “a bit lenient” and admitted she is feeling paranoid as she prepares for the birth of her fifth child in July.

“I think they’ve taken steps to ensure I don’t have to go through that again. Hopefully it works.”

Between January 2012 and April 2014, Acar paid Cruz to hand over patient information, exchanging less than $5,000 over that time, according to documents filed in court.

Cruz pleaded guilty to two counts of secret commissions, one for each hospital. She is also now facing a disciplinary hearing at the College of Nurses of Ontario for professional misconduct and failing to disclose the charges.

Acar pleaded guilty to one count of using a forged document and one count of secret commissions. Additional criminal charges were withdrawn.

Loading... Loading... Loading... Loading... Loading... Loading...

In an emailed statement, a spokesperson for Rouge Valley Health System said it took immediate action upon hearing about the breach and Cruz is no longer employed there.

“The protection of personal health information continues to be a priority for our organization,” the statement read.

The Scarborough Hospital called the breach “most regrettable” and not indicative of the hospital’s commitment to patient privacy.

“The resolution of this case through the courts sends a strong message to all health care staff of their professional obligations,” a hospital spokesperson said in an emailed statement.

In total, the Ontario Securities Commission had laid 12 charges in connection with the schemes.

Poly Edry and Subramanian Sulur also pleaded guilty Tuesday to participating in improper referral arrangements, an offence under the Securities Act. Their sentences have not been handed down.

In November, former Rouge Valley hospital clerk Shaida Bandali was fined $36,000 and sentenced to two years' probation and 300 hours of community service for her role.

Star investigations have shed light on the rising number of medical-record privacy breaches and the limitations of the legislation as it stood at the time.

After more than a decade, charges under the Personal Health Information Protection Act failed to result in any prosecutions.

On May 5, Ontario passed new health privacy legislation, which increases fines for violating PHIPA, eliminates the six-month time limit to start prosecution and makes it mandatory to report privacy breaches to the Information and Privacy Commissioner and regulatory colleges where relevant.

Two health care workers who snooped into late mayor Rob Ford’s electronic hospital records were the first to be convicted under PHIPA. The pair pleaded guilty and were each fined $2,505.