New claims about sale of confidential data send a shiver down the spine, the privacy watchdog said.
The names of 3,000 sick and disabled people were sold to undercover reporters for 19p each, according to the Daily Mail.
No checks were made on who the reporters - posing as a cold-calling outfit - really were, the newspaper said.
The revelations about an alleged trade in medical records follow the Mail's claims that pensioners' salaries, the value of their investments and the size of their pensions are being sold for as little as 5p without their consent.
The Information Commissioner has warned in the wake of those allegations that companies found to have breached data protection law by selling people's pension pot details face fines of up to £500,000.
Christopher Graham said claims that millions of individuals' data were being sold and ending up in the hands of criminals were "very serious".
The financial details are allegedly being bought by fraudsters and cold-calling firms.
The paper said its undercover reporters were sold pension pot details for 15,000 people without any checks being made on who they were and what they wanted the data for.
"We are in touch with the pensions regulator, the Financial Conduct Authority and the police because this looks like a very serious breach of the Data Protection Act.
"If it is a breach of the Data Protection Act, then the companies involved are facing serious civil monetary penalties of up to half a million pounds.
"If we establish it's criminal activity by individuals, then they are in deep trouble too."
The investigation comes ahead of next week's pension reforms, which will give savers the chance to access their full retirement pots.
Experts at the Information Commissioner's Office (ICO) have previously warned that the pension reforms on April 6 could result in a flood of scams on the scale of "the next PPI scandal".
Last night Steve Eckersley, head of enforcement at the ICO, said the new claims about medical data send a shiver down the spine.
He said: "People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive. To think such information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine."
He said the ICO would consider whether there had been any breach of data protection law.
The Mail said that medical data which has allegedly been sold included details of thousands of people suffering with diabetes, high blood pressure, osteoporosis, back pain and arthritis.
The data named even those suffering from embarrassing bladder problems, as well as those who are hard of hearing, who could be more vulnerable to scams.
The newspaper said undercover reporters were able to buy these sensitive details for 3,000 sick or disabled people for less than £600 - just 19p a record.
Dr Sarah Wollaston, Tory chair of the health select committee, called for those caught selling medical data without consent to face jail.
She told the newspaper: "It is appalling that people can buy the most sensitive medical information.
"Nothing is more personal. Selling people's most sensitive medical data without their foreknowledge is a new low. The ICO needs to take very strong action.
"The people who are selling this kind of data should face jail sentences if they are found to have acted illegally. We should see severe penalties."
A company named in the Mail's first report said it would welcome an ICO investigation and co-operate fully with it.
In a statement, B2C Data Limited said: "B2C Data Limited is registered with the Information Commissioner's Office and is a member of the Direct Marketing Association. It operates an entirely legitimate and legally-compliant data business.
"It complies with all its legal requirements. Importantly, it does not receive or process information other than in respect of those customers of its members who have opted in. Equally, it does not sell 'highly sensitive details of ... salaries, investments and pensions'."
The statement said the company was "appalled" by the reporting in the Daily Mail, which contained "numerous factual errors and exaggerations".
It continued: "While B2C is consulting with its legal advisers, it welcomes an investigation by the ICO into these matters and it will co-operate fully with any investigation. B2C Data takes its legal obligations very seriously and will continue to do so."
Read more on AOL Money:
Overtime: what are your rights?
The companies that treat their customers best (and worst)
Shared parental leave: time for dads to take the career hit?