The Office of the Data Protection Commissioner has ordered St Luke’s Orthopaedic and Trauma Hospital to pay KSh525,000 to a patient after finding it liable for unlawfully disclosing sensitive medical information.
In a determination issued under Kenya’s Data Protection Act, 2019, Data Commissioner Immaculate Kassait ruled that the hospital violated key data protection principles by mishandling and incorrectly sharing medical test results.
The complaint was filed by Merceline Odeyo, who accused the hospital of repeatedly issuing her with medical results belonging to another patient with a similar first name but a different surname.
Odeyo also told investigators that her personal health information was shared with a third-party laboratory without her informed consent, exposing her to a breach of privacy and loss of dignity.
According to the ruling, the repeated errors pointed to systemic failures in how the hospital handled sensitive patient data, raising concerns about internal controls and verification procedures.
In its defence, the hospital argued that the patient’s samples were collected and referred to an external laboratory under standard medical procedures. It maintained that only minimal personal data was shared and that a barcode system was used to track and identify samples.
The facility attributed the mix-up to an administrative error during the reconciliation of laboratory results, describing it as an isolated human mistake. It also said its actions were carried out in the patient’s best interest in line with provisions of the law.
However, the ODPC dismissed the hospital’s arguments, noting that the facility failed to provide evidence that it had obtained explicit and informed consent before sharing sensitive health data with a third party.
The Data Commissioner found that the hospital breached several provisions of the ODPC guidelines and the Data Protection Act. These included failure to obtain explicit consent, lack of transparency, and failure to notify the patient about third-party data processing.
The ruling also cited inadequate technical and organisational safeguards, which contributed to the data mix-up. The Commissioner noted that the hospital’s admission of an administrative error highlighted weaknesses in its data protection systems.
“The respondent failed to implement adequate safeguards to protect sensitive personal data,” the determination stated, underscoring the legal obligation of healthcare providers to ensure patient confidentiality.
The ODPC concluded that the complainant suffered both financial and non-financial harm, including emotional distress, as a result of the breach. Under Section 65 of the Data Protection Act, affected individuals are entitled to compensation for such damages.
The hospital was ordered to pay KSh525,000 to the complainant as compensation for the violation.
The ruling also affirmed that either party has the right to challenge the decision by filing an appeal at the High Court within 30 days.
The case highlights growing enforcement of data protection laws in Kenya, particularly in the healthcare sector where sensitive personal information must be handled with the highest level of care.
