A healthcare facility in Eldoret has been ordered to compensate a patient KSh 525,000 after Kenya’s data protection regulator found it unlawfully disclosed sensitive medical information and failed to safeguard patient records.
In a determination issued on March 16, 2026, the Office of the Data Protection Commissioner (ODPC) ruled in favour of Merceline Akoth Odeyo in her complaint against St. Luke Orthopaedic & Trauma Hospital Eldoret.
The complainant alleged that the hospital mishandled her personal data by issuing her with medical test results belonging to another patient on two separate occasions. The mix-up reportedly involved individuals with similar first names but different surnames.
She further claimed the hospital shared her sensitive health information with a third-party laboratory without her knowledge or consent, resulting in a violation of her privacy and dignity.
In its defence, the hospital acknowledged that the complainant visited the facility in July 2025 and that her samples were sent to an external laboratory for testing. It maintained that only minimal data, specifically her name, was shared for identification purposes.
The hospital attributed the incident to an “isolated case of human error” during the reconciliation of test results and argued that the data processing was necessary to provide medical services.
However, the ODPC found that the hospital failed to demonstrate that it had obtained explicit and informed consent from the patient before sharing her data, as required under the Data Protection Act, 2019.
The Data Commissioner concluded that the hospital: Unlawfully disclosed the complainant’s sensitive health data to a third party, failed to uphold transparency obligations and adequately inform the patient and did not implement sufficient technical and organisational measures to ensure data accuracy and security
The regulator emphasized that verbal consent, without documented proof, does not meet the legal threshold for processing sensitive personal data.
As a result, the ODPC ordered the hospital to compensate the complainant KSh 525,000 for the breach, citing both emotional distress and the mishandling of sensitive medical information. The ruling also grants both parties the right to appeal the decision at the High Court within 30 days.
Mark your calendars! The GreenShift Sustainability Forum is back in Nairobi this August. Join innovators, policymakers & sustainability leaders for a breakfast forum as we explore sustainable solutions shaping the continent’s future. Limited slots – Get your early bird tickets now – here. Email info@techtrendsmedia.co.ke for partnership requests.
Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent and across the world.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
