The Lower Eastern Times Opening The Third Eye
Related Articles
Office of the Data Protection Commissioner has found St Luke’s Orthopaedic and Trauma Hospital liable for unlawfully disclosing a patient’s sensitive medical information and ordered it to pay Sh525,000 in compensation.
Data Commissioner Immaculate Kassait ruled that the hospital violated data protection laws by mishandling and wrongly sharing a patient’s medical results, in breach of the Data Protection Act, 2019.
Click here to join our WhatsApp Channel
The complaint was filed by Merceline Odeyo, who said the hospital repeatedly issued her with test results belonging to another patient who had a similar first name but a different surname. She also accused the facility of sharing her sensitive medical data with a third-party laboratory without her informed consent.
In its defence, the hospital said the samples were processed through standard procedures and that only minimal data was shared via a barcode system. It blamed the incident on an administrative error during results reconciliation.
However, the regulator dismissed the explanation, saying the hospital failed to prove that it had obtained proper and informed consent before sharing the patient’s data. The ODPC found multiple violations, including lack of transparency, failure to notify the patient about third-party processing, and weak safeguards that led to the mix-up.
Kassait noted that the breach caused harm to the complainant, making her eligible for compensation for both financial and emotional distress under the law.
The hospital has been ordered to pay Sh525,000, with both parties still entitled to appeal the decision at the High Court within 30 days.
