Hospital Ordered to Pay Ksh 525,000 for Unlawful Disclosure of Patient Data
Share
St. Luke Orthopaedic and Trauma Hospital in Eldoret has been ordered to compensate a patient after the Office of the Data Protection Commissioner (ODPC) found that it unlawfully disclosed her sensitive personal data and failed to safeguard her medical information.
According to a ruling issued by the Data Commissioner, St. Luke Orthopaedic and Trauma Hospital was found guilty of violating the Data Protection Act, 2019, after it disclosed the complainant’s sensitive medical information without obtaining her consent.
“In consideration of the complaint, and having found that the Respondent disclosed the Complainant’s sensitive personal data without the requisite consent as stipulated under the Act, it therefore follows that there has been a violation of the Act by the Bento that extent, PROTECTION,” read part of the determination.
St. Luke Hospital Found Liable for Unlawful Disclosure of Patient Medical Records
The commission stated that the complaint was lodged on December 16, 2025, after the patient alleged that the hospital mishandled her sensitive personal data by issuing her with another person’s medical test results.
After investigations, the ODPC found that the hospital twice provided the patient with the wrong medical records due to an administrative error, resulting in the disclosure of another individual’s sensitive health information.
The investigation also established that the hospital shared the complainant’s medical information with a third-party laboratory without first obtaining her explicit consent.
Also Read: Mystery as Hospital Patient Found Hanging After Disappearing From Surgical Ward
As a result, the Commissioner highlighted that St. Luke Orthopaedic and Trauma Hospital failed to maintain the accuracy of personal data and did not implement adequate safeguards to protect the patient’s sensitive health information.
“The Complainant alleges that the Respondent mishandled her sensitive personal data by failing to maintain its accuracy and currency and by disclosing medical records of an unrelated individual as though they were hers,” read part of the determination.
Accused of Breaching Data Protection Law
The Commissioner also found that the hospital breached key data protection principles, including transparency, data accuracy, and the security of personal information.
The ODPC further ordered the hospital to compensate the complainant Ksh525,000 for the infringement of her privacy rights.
Also Read: SHA Explains Why Ksh13 Billion in Hospital Claims Remain Unpaid Despite Ksh27.9 Billion Payout
“Having found that the Respondent has failed to prove that it obtained express consent from the Complainant, the Respondent is hereby directed to compensate the Complainant the amount of Ksh 525,000,” the determination stated.
The Commissioner noted that the award took into account the nature and extent of the violation, the sensitivity of the personal data involved, and the harm caused to the complainant through the unlawful processing of her medical information.
Meanwhile, the ODPC noted that either party has the right to appeal the determination before the High Court of Kenya within 30 days.
Follow our WhatsApp channel for instant news updates.

A photo showing the determination in the case of the data breach act of St. Luke Hospital.Photo/ Thuranira/X
