By Eldoret Leo 
The Office of the Data Protection Commissioner (ODPC) has found St Luke’s Orthopaedic and Trauma Hospital liable for unlawfully disclosing a patient’s sensitive medical information, ordering the facility to pay KSh 525,000 in compensation.
The ruling follows investigations that established the hospital released confidential patient data without proper consent, in violation of the Data Protection Act. Medical records are classified as highly sensitive information and are subject to strict legal protection.
According to the ODPC, the hospital failed to uphold fundamental data protection principles, including lawful processing, transparency, and confidentiality. The case involved Merceline Odeyo, who reported that the facility repeatedly issued her with test results belonging to another patient with a similar first name but a different surname.
She further alleged that the hospital shared her sensitive health data with a third-party laboratory without her informed consent, resulting in a breach of privacy and loss of dignity.
In its defence, the hospital argued that samples were lawfully referred to an external lab under standard procedures and that only minimal personal data was shared through a barcode system. It described the incident as an isolated administrative error during results reconciliation and maintained it acted in the patient’s best interest.
However, Data Commissioner Immaculate Kassait rejected this explanation, noting the hospital failed to prove it had obtained explicit consent. The ODPC identified multiple violations, including lack of consent, failure to notify the patient of third-party processing, and inadequate safeguards that led to the mix-up.
The decision reflects growing enforcement of data protection laws in Kenya, particularly in sectors handling sensitive personal data. The Office of the Data Protection Commissioner continues to tighten oversight, signaling that compliance is mandatory.
Healthcare facilities are now expected to invest in stronger data security systems, staff training, and clear consent procedures to prevent similar breaches.
For patients, the ruling reinforces their right to privacy and control over personal medical information. For hospitals and clinics, it serves as a clear warning that non-compliance can result in financial penalties and reputational damage.
As enforcement actions increase, organizations across Eldoret and Kenya must prioritize data protection as a core operational requirement.
