The Office of the Data Protection Commissioner (ODPC) has slapped St. Luke Orthopaedic & Trauma Hospital in Eldoret with a Ksh. 525,000 fine. The penalty follows a series of human errors that led to the unauthorized disclosure of a patient’s sensitive medical data to a complete stranger.
The case, brought forward by complainant Merceline Akoth Odeyo, highlights the high stakes of data management in the healthcare sector and sets a firm precedent for how the Data Protection Act is applied to sensitive health information.
Odeyo approached the regulator after a recurring nightmare at the facility. According to the investigation, the hospital twice issued her medical results belonging to a different patient who happened to share a similar first name.
Beyond the mix-up, the ODPC discovery revealed a deeper compliance failure: Odeyo’s sensitive health samples had been transferred to a third-party laboratory without her explicit, informed consent.
St. Luke Orthopaedic & Trauma Hospital admitted to an administrative error during its data reconciliation process but maintained that the incident was isolated. The hospital’s legal team argued that the data transfer was conducted under the guise of legitimate interest, the idea that the sharing was necessary to provide essential medical services to the patient.
However, Data Commissioner Immaculate Kassait, SC, was not convinced. In her ruling, she dismissed the hospital’s defense by highlighting the strict protections afforded to sensitive categories of data.
Key Rulings from the Data Commissioner
- Under Section 45 of the Data Protection Act, legitimate interest is a valid ground for processing general data, but it cannot be used as a shortcut for processing sensitive health data.
- The Commissioner noted that the hospital failed to provide a written record of consent. In the eyes of the law, the responsibility lies entirely with the institution to prove they obtained permission.
- By dismissing the human error plea, the ODPC signaled that hospitals must have robust technical safeguards to ensure that similar names do not lead to life-altering privacy breaches.
This ruling serves as a stark reminder to medical institutions across Kenya that good intentions do not override statutory requirements.