A retired teacher is locked in a legal battle with a woman, who claims to be her daughter-in-law over the burial of a police officer, who died while undergoing treatment at a hospital in Eldoret City.
On January 19, 2024, Malibu Pharmacy received a prescription order from a loyal client (name withheld) it had served for more than two years.
The order was dispatched to the client’s home in a package with a piece of paper disclosing her name, diagnosis, contacts and physical address.
That could now become an expensive decision for Malibu, and which could open the floodgates on privacy violation suits against merchants who offer delivery services.
The client raised two complaints against Malibu, as she claimed that the pharmacy gave her the wrong set of drugs from a prescription that was not hers, and then not only went ahead to display her confidential medical data while delivering the medicine but also sent the alleged erroneous information to her insurer.
The issue that started with a complaint to the pharmacy’s CEO is now at the High Court as Malibu attempts to wriggle out of a Sh700,000 award to the client for reckless display of her confidential medical data.
Malibu has appealed against a decision of the Office of the Data Protection Commissioner (ODPC) to award the client Sh700,000 in damages.
However, Malibu has not listed the ODPC in its appeal, as only the client is listed as a respondent. The court papers also indicate only the client in the list of individuals to be served with the documents.
The High Court has issued orders suspending enforcement of the ODPC’s award.
In documents before the High Court, the client said she realised that the wrong diagnosis had been listed on a piece of paper attached to the package, and that the rider also had an insurance claim form filled out with the same wrong information.
She reached out to Malibu Pharmacy through WhatsApp and raised concerns about the wrong diagnosis and exposure of her confidential information, including medical data.
Apology letter
Three days later, Malibu Pharamcy CEO Kamau Ng’ang’a sent the client a letter, in which he apologised for the exposure of her sensitive and confidential data.
Dr Ng’ang’a in his letter, which is now part of the court records, said that medical information would be coded going forward, with other steps taken to protect sensitive data from exposure.
The client said she called the CEO on a number that he wrote at the bottom of the letters, and explained that the diagnosis written on the insurance claim form was also wrong. She asked Dr Ng’ang’a to verify the same with her doctor.
However, Malibu allegedly sent a claim form to the insurance company with the same wrong diagnosis.
The client contacted Dr Ng’ang’a again on February 1 to raise the issue.
But Dr Ng’ang’a, she claimed, said there was nothing more he could do as he had followed up on it to the point of disciplinary action being taken against a Malibu Pharmacy staff member.
Further attempts to contact Dr Ng’ang’a to have the claim form sent to her insurer recalled and revoked did not yield any fruit, she added, as there was no response.
The client filed a complaint against Malibu Pharmacy at the Office of the Data Protection Commissioner (ODPC) on February 12.
The ODPC notified Malibu Pharmacy of the complaint on February 29, and asked it to file a response and provide any evidence in its defence.
The ODPC also asked Malibu to demonstrate the legal basis used to process the client’s personal data, her consent to the same and any mitigation measures that the pharmacy had taken to resolve the dispute.
In its response, Malibu Pharmacy said that it received an order from the client, processed it and dispatched the package to her residence.
The pharmacy denied that the client’s confidential data was recklessly displayed or exposed to third parties.
Malibu added that no third party was involved in the data processing, and that her sensitive information was handled through the company’s usual procedures which it said were in line with the Data Protection Act and other relevant laws.
In her determination dated May 11, Data Protection Commissioner Immaculate Kassait held that placing the client’s name, contact and address was necessary to facilitate delivery.
Ms Kassait, however, found that there was no need to indicate the client’s medical data on the tag attached to the package, as this exposed the confidential information to third parties.
“As such, the office finds that the respondent (Malibu) violated sections 25 (a) and (d) as read with section 44 of the (Data Protection) Act to the extent that it did not conceal the complainant’s diagnosis when delivering the medical package to her. It also abrogated its responsibility over the complainant’s health data as envisioned under section 46 of the Act,” Ms Kassait held.
Ms Kassait ruled that no evidence had been provided to show that Malibu processed a wrong diagnosis.
But for the data breach it was found guilty of, Malibu Pharmacy was ordered to pay the client Sh700,000.
On June 7, Malibu Pharmacy filed an appeal at the High Court, seeking to overturn Ms Kassait’s decision.
Suppressed evidence
In the appeal, Malibu claims that Ms Kassait suppressed crucial evidence when notifying it of the complaint by the client, and that this affected the pharmacy’s ability to adequately defend itself.
The pharmacy says that the client’s data was not shared with third parties.
“The Data Protection Commissioner erred in fact and in law, by proceeding to assess and award a quantum of Sh700,000 for unlawful processing of the respondent’s health data despite there being no evidence that the respondent’s health data was unlawfully shared to a third party or the processing of data caused any loss,” Malibu says in its appeal papers.
In her response to the appeal, the client holds that Malibu is seeking orders against a party that is not enjoined in the case, as the ODPC has not been listed as either a respondent or interested party.
“I wish to state that it would not be in the interest of justice for the orders sought herein to be granted as the applicant has absolutely no single ground of appeal and has only lodged this appeal to further frustrate me from enjoying the fruits of the Commissioner’s determination,” she says in her response.
Malibu adds that the ODPC unfairly shifted the burden of proof to it, and alleges that the client had not adequately evidenced the loss and damage suffered on account of the data breach.
The client holds that allowing Malibu to file additional evidence would unfairly give the pharmacy a second bite at the cherry.
“I am further advised by my advocates whose advice I verily believe to be true that the appellant being the party who has been unsuccessful at the trial must not seek to adduce additional evidence to make a fresh case on appeal, fill up omissions or patch up the weak points in its case,” she says in court papers.
She adds that the appeal should be dismissed as Malibu already made an admission of guilt through the letter its CEO Dr Ng’ang’a, who wrote an apology letter to the client.
The client has also filed a complaint against Malibu at the Pharmacy and Poisons Board (PPB).
In the PPB matter, she wants Malibu punished for alleged mishandling of her health data, giving and sharing the wrong diagnosis with third parties without her consent and refusing to recall the document sent to her insurer by the pharmacy.
The client claims in her letter to the PPB that the court case filed by Malibu is an attempt to allegedly bully her for an admitted act of negligence.
She is also concerned that the pharmacy is yet to correct the alleged wrong information and the Malibu CEO had not been summoned by the board.
The PPB will hear the complaint on November 7.
