Malibu Pharmacy has won temporary relief after a High Court suspended a Sh700,000 compensation award for breaching a patient’s medical data privacy.
Pharmaceutical retailer Malibu Pharmacy has won temporary relief after a High Court judge suspended a Sh700,000 compensation award for breaching a patient’s medical data privacy.
Justice Janet Mulwa granted the reprieve pending the determination of the pharmacy’s appeal against the decision by the Office of the Data Protection Commissioner (ODPC). However, she directed Malibu to deposit the amount in a joint interest-earning account held by lawyers representing both parties.
The case stems from allegations that the pharmacy attached the patient’s name, phone number, home address, and a wrong medical diagnosis on the outside of a medicine package delivered by a rider.
The breach allegedly began with a WhatsApp order placed by the patient to one of Malibu’s branches.
"It would be unjustifiable to deny the appellant orders of stay pending hearing and determination of the appeal. Conversely, it would also be unfair to the respondent should the appeal not succeed to be returned to square one for her to initiate execution proceedings from that point," said the judge.
The retailer moved to the High Court seeking to have the determination of the Data Commissioner set aside as well as the enforcement notice.
Pending the hearing it applied for a stay of execution of the final decision and enforcement notice dated May 11, 2024, requiring it to compensate the patient the amount for breach of personal data.
The company was found liable for unlawfully processing the complainant's personal data relating to health.
In the contested verdict, Data Commissioner Immaculate Kassait found that though the personal data relating to the complainant’s name, location and phone number were essential to facilitate the delivery of the drugs, tagging the complainant’s diagnosis on top of the package was unnecessary.
Sensitive data
"Health data entails sensitive data. The same ought to be handled with a high degree of confidentiality as the potential for misuse of health data is very high in the wrong hands. In the circumstances surrounding this complaint the respondent acted negligently by not concealing the complainant's diagnosis," said the Commissioner.
The complainant, name witheld, alleged that she had ordered prescription medicine from Malibu Pharmacy which was delivered to her with her name, number, house location, type of prescription and wrong diagnosis tagged on the outside of the package. She stated that the said personal data was shared with third parties without her knowledge and consent.
To buttress her complaint, she produced pictures of how the medical package sent to her appeared, screenshot pictures of conversations between her and the retailer's employees; and the company settlement note sent to the insurance company.
Narrating the genesis of the dispute, the complainant alleged that the drugstore took it upon itself to diagnose her without her knowledge or without consulting her primary doctor.
Further, she contended that the diagnosis itself was defamatory, wrong, misleading and was carried around by a rider all day long as he delivered medication to various clients.
The complainant alleged that the incorrect diagnosis included her complete name, phone number, and home address and that the diagnosis document was attached to the outside of the package containing her medication, where anyone could view it.
She further claimed that the rider was not a medical professional, and she was unsure how many persons saw the information from the pharmacy until the drug arrived at her residence.
Additionally, the complainant submitted that the medical insurance form that accompanied the medication also had a wrong and misleading diagnosis. This was again carried by the same rider and therefore had her personal medical information exposed in a very public way.
When she received the medication, she raised a concern with one of the retailer's doctors about the wrong diagnosis on top of the package and on the medical insurance form.
She said that despite raising this issue and getting assurance that the doctor would do everything on his end to rectify the situation, the insurance medical claim form was still scanned and sent to the insurance company with the erroneous information.
In its response to the complaint, the retailer stated that the complainant was their client for over two years and during this time they were responsible for managing her prescriptions as well as those of her family members.
According to the store, the deliveries were made to her residence using riders employed directly by the retailer.
The events leading to the legal tussle occurred on January 19, 2024, when the complainant placed an order with one of the drugstore's branch WhatsApp number, requesting delivery to her residence and providing location details.
Their pharmacist handled the prescription, which was then passed to their rider for direct delivery to the complainant using the pharmacy-provided motorbike in a sealed container and the package was received directly by the complainant at her residence.
It was their position that the complainant's personal information was not exposed to multiple third parties, as alleged. The information was solely utilized for processing her prescription, arranging delivery to her address, and initiating the insurance reimbursement process.
They further stated that the claimant's personal information was never utilised for promotional purposes and that she exclusively received information from them during the processing of her orders, through calls and WhatsApp messages.
The case will be mentioned on July 29, 2025, before Justice Linus Kassan in Milimani Nairobi for directions.
