{"id":137921,"date":"2026-04-16T09:03:08","date_gmt":"2026-04-16T09:03:08","guid":{"rendered":"https:\/\/chezaspin.com\/blog\/data-commissioner-orders-hospital-to-pay-sh525000-for-mishandling-patients-medical-data\/"},"modified":"2026-04-16T09:03:08","modified_gmt":"2026-04-16T09:03:08","slug":"data-commissioner-orders-hospital-to-pay-sh525000-for-mishandling-patients-medical-data","status":"publish","type":"post","link":"https:\/\/chezaspin.com\/blog\/data-commissioner-orders-hospital-to-pay-sh525000-for-mishandling-patients-medical-data\/","title":{"rendered":"Data Commissioner Orders Hospital to Pay Sh525,000 for Mishandling Patient\u2019s Medical Data"},"content":{"rendered":"<p>NAIROBI, Kenya Apr 16 \u2013 The Office of the Data Protection Commissioner (ODPC) has found St Luke\u2019s Orthopaedic and Trauma Hospital liable for unlawfully disclosing a patient\u2019s sensitive medical information and ordered it to compensate the complainant Sh525,000.<\/p>\n<p>In a determination issued under the Data Protection Act, 2019, Data Commissioner Immaculate Kassait ruled that the hospital violated data protection principles after mishandling and incorrectly sharing medical results belonging to a patient.<\/p>\n<p>The case was filed by Merceline Odeyo, who alleged that the hospital repeatedly issued her with medical results belonging to another patient with a similar first name but a different surname.<\/p>\n<p>She further claimed that her sensitive health information was shared with a third-party laboratory without her informed consent, resulting in a breach of privacy and loss of dignity.<\/p>\n<p>In its defence, the hospital said the complainant\u2019s samples were lawfully collected and sent to an external laboratory under standard referral procedures.<\/p>\n<p>It argued that only minimal personal data was shared and that a barcode system was used to identify samples. The facility also maintained that any confusion arose from an administrative error during results reconciliation, describing it as an isolated human mistake.<\/p>\n<p>The hospital further stated that it acted in the complainant\u2019s best interest under provisions of the Data Protection Act.<\/p>\n<p>However, the Data Commissioner rejected the hospital\u2019s defence, ruling that the facility failed to demonstrate that it had obtained explicit and informed consent to share sensitive health data with third parties.<\/p>\n<p>The ODPC found that the hospital breached several provisions of the Data Protection Act, including failure to obtain explicit consent for data sharing, breach of transparency requirements, failure to notify the patient about third-party processing and inadequate technical and organisational safeguards leading to data mix-up.<\/p>\n<p>The Commissioner also noted that the hospital\u2019s admission of an administrative error demonstrated weak data protection systems and insufficient safeguards for handling sensitive health data.<\/p>\n<p>The ODPC concluded that the complainant suffered harm due to the breach and is entitled to compensation under Section 65 of the Data Protection Act, which includes both financial and non-financial damage such as emotional distress.<\/p>\n<p>The hospital has been ordered to pay Sh525,000 in compensation.<\/p>\n<p>The ruling also confirmed that parties have the right to appeal the decision at the High Court within 30 days.<\/p>","protected":false},"excerpt":{"rendered":"<p>NAIROBI, Kenya Apr 16 \u2013 The Office of the Data Protection Commissioner (ODPC) has found St Luke\u2019s Orthopaedic and Trauma Hospital liable for unlawfully disclosing a patient\u2019s sensitive medical information and ordered it to compensate the complainant Sh525,000. In a determination issued under the Data Protection Act, 2019, Data Commissioner Immaculate Kassait ruled that the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-137921","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/137921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/comments?post=137921"}],"version-history":[{"count":0,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/137921\/revisions"}],"wp:attachment":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/media?parent=137921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/categories?post=137921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/tags?post=137921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}