Kenya Insights

Tag: Digital Health Agency (DHA)

  • How an Egyptian-Headquartered AI Medical Platform Harvested the Sensitive Health Data of Over 60,000 Kenyans — Leaving Thousands Exposed to a Mega Privacy Catastrophe in Foreign Hands

    How an Egyptian-Headquartered AI Medical Platform Harvested the Sensitive Health Data of Over 60,000 Kenyans — Leaving Thousands Exposed to a Mega Privacy Catastrophe in Foreign Hands

    A Cairo-headquartered AI company operated for years inside Kenya’s public health system processing the bodies and medical secrets of tens of thousands of the country’s most vulnerable citizens without a single valid licence, data registration, or meaningful patient consent. The courts have now acted. But the data is already gone. This is the story of how it happened, who enabled it, and what the disaster that may yet come could look like.

    THE MORNING A PATIENT’S LUNGS LEFT THE COUNTRY

    The patient who walked into a public health facility in Kisii County for a chest X-ray did not know that the image of their lungs would, within minutes, leave Kenya entirely. They signed no form authorising it. They were told nothing of Egyptian cloud servers, of radiologists working from screens in Nairobi, Riyadh, or Cairo, of artificial intelligence systems ingesting their scan as raw training data. They came for a diagnosis. What they gave away, without knowing it, was far more.

    Their DICOM file a digital imaging format that carries not just the scan itself but embedded metadata including patient name, date of birth, scan date, referring physician, and device identifiers was uploaded to the platform of Rology Medical Kenya Limited. From there, it transited to cloud infrastructure controlled by the company’s Egyptian parent, Rology Inc., headquartered in Cairo.

    The report that came back may or may not have been produced by a radiologist holding a valid Kenyan licence. The scan itself may or may not have been used to train a proprietary artificial intelligence product now marketed across thirteen countries and sold to hospitals in the Middle East and Africa.

    This patient does not know any of this. Neither, until recently, did the Kenyan public.

    On or around June 12, 2026, Justice Patricia Mande Nyaudi of the Milimani Constitutional and Human Rights Division of the High Court changed that. In a ruling that should trigger a national reckoning, she ordered the immediate suspension of Rology’s Kenyan operations. The company which described itself as a revolutionary teleradiology solution expanding healthcare access to underserved Africans — was found to have operated outside the Kenya Medical Practitioners and Dentists Act, the Data Protection Act, the Digital Health Act, and the Digital Health (Data Exchange Component) Regulations 2025. The court further directed the Ministry of Health and the Kenya Medical Practitioners and Dentists Council to revoke any licences or approvals tied to the handling of patients’ portable personal health records on the platform.

    The ruling was decisive. The damage, however, was already done. By Rology’s own admission to the court, its platform had served more than 60,000 Kenyan patients and supported over forty public health facilities across the country. Those patients’ X-rays, CT scans, MRIs, and associated medical histories are already in Cairo-controlled infrastructure. The court order cannot reach them there. Kenyan law cannot compel their deletion. The patients themselves have no accessible path to demand their removal, rectification, or compensation.

    The privacy time bomb is not ticking. It has already detonated. The fallout is just not yet visible.

    “Their X-rays, CT scans, MRIs, and medical histories are already in Cairo-controlled infrastructure. The court order cannot reach them there.”

    THE COMPANY THEY DID NOT WANT KENYA TO SCRUTINISE

    Rology was founded in Cairo in October 2017 by four entrepreneurs: Amr Abodraiaa, Moaaz Hossam, Mahmoud Eldefrawy, and Bassam Khallaf. Its pitch was compelling and, in the context of genuine access challenges in African and Middle Eastern healthcare systems, not without merit: a cloud-based, zero-setup teleradiology platform that matched patient scans with remote radiologists through AI-assisted intelligent matchmaking. No infrastructure investment required. No radiologist on-site needed. Just a laptop, an internet connection, and Rology’s platform.

    The company positioned itself as addressing one of medicine’s most acute shortages. There are, by some estimates, fewer than one radiologist per million people across significant portions of sub-Saharan Africa. Fourteen African countries have no radiologists at all. Into this gap, Rology stepped with promises of thirty-minute turnaround times, twelve radiology sub-specialities, eight imaging modalities, and an AI system it claimed achieved 99.89 percent clinical accuracy.

    The marketing was polished and the investor narrative was compelling. In October 2023, Rology secured 510(k) clearance from the United States Food and Drug Administration for its platform as a Class II medical image management and processing system. The company declared this clearance established Rology as “the world’s premier FDA-cleared on-demand and 2-sided teleradiology solution.” Its Chief Medical Officer, Mahmoud Eldefrawy, stated publicly that the clearance “emphasises our commitment to cybersecurity and regulatory adherence.” Its Chief Business Officer, Moaaz Hossam, called it “hope for countless medical providers, especially SMEs and the underserved public hospitals.”

    In June 2023, Rology had already expanded into Saudi Arabia through the acquisition of Arkan United, a Jeddah-based teleradiology provider, for an undisclosed sum. By December 2025, it closed a growth funding round backed by an extraordinary roster of global health investors: the Philips Foundation, Johnson & Johnson Impact Ventures, the Sanofi Global Health Unit’s Impact Fund, and MIT Solve Innovation Future. The size of the round was not disclosed. The company said the funding would support expansion across the Middle East and Africa, with Kenya and Saudi Arabia cited as growth markets. Marketing materials released at the time highlighted the launch of eight AI tools and a network of over two hundred radiologists operating across more than thirteen countries, serving over three hundred hospitals.

    What the press releases did not mention what the investors were apparently not told, or did not investigate was that Rology’s Kenyan operations were being conducted in comprehensive violation of the country’s legal framework. The company had never registered as a data controller or data processor under the Data Protection Act. It had never obtained the Certificate of Data Handler/Processor from the Office of the Data Protection Commissioner that the KMPDC had made mandatory, with a compliance deadline of March 31, 2025. Its AI platform had never been validated or certified under Kenyan law. The radiologists interpreting Kenyan patients’ scans were not verified to hold Kenyan licences. And the cross-border transfer of patients’ most sensitive health information was occurring without the explicit patient consent or adequate safeguards required by Section 48 of the Data Protection Act.

    The company was not operating in a grey area. It was operating in comprehensive defiance of the rules governing every element of what it was doing.

    THE ARCHITECTURE OF EXTRACTION

    To understand what Rology actually built in Kenya, one must understand how its platform functions technically. Hospitals connected to Rology through a tool called Rology Connect, an automatic image acquisition system that uploads DICOM files directly from the facility’s imaging equipment to the platform. Those files — containing both the scan and the embedded metadata identifying the patient were encrypted and transmitted to Rology’s cloud infrastructure. The company’s servers, controlled from Cairo, then routed the files to available radiologists across its global network, matching cases by subspeciality and availability.

    Rology told the court that reports were subsequently reviewed by licensed Kenyan radiologists before release to hospitals. The company also told the court that it had never sold patient data. But the question is not merely whether raw data was sold. The more complex and consequential questions are these: which radiologists, in which countries, reviewed Kenyan patient scans, and under what licencing authority? To what jurisdiction were those cloud servers actually subject? Were those scans used to train Rology’s eight proprietary AI tools? Were they retained after the diagnostic purpose was fulfilled? To whom, beyond the immediate interpreting radiologist, did the data become accessible? None of these questions were satisfactorily answered during proceedings.

    What is known is the business result. In 2023, Rology’s Kenyan operations grew 169 percent in sales and 223 percent in gross revenues. That explosive growth was built directly on patient encounters: each scan generated a billable report and, crucially, a data asset. Each DICOM file that passed through Rology’s platform became, in a meaningful commercial sense, an input to the company’s artificial intelligence development pipeline. The AI tools Rology is now marketing across thirteen countries and positioning for global expansion were trained on radiology data. Some portion of that data came from Kenyan patients who were told they were getting a diagnostic service not that they were contributing their bodies to a foreign AI company’s commercial product development.

    No benefit-sharing framework exists. No data governance agreement with the Kenyan facilities is publicly documented. No portion of the value created from Kenyan patient encounters has flowed back to those patients or to Kenya’s health system. The model is extractive by design: data flows in one direction, from Kenyan bodies to Egyptian servers, and value flows in one direction, from Kenyan encounters to a Cairo startup’s investor pitch deck.

    “In 2023, Rology’s Kenyan operations grew 223% in gross revenues. That explosive growth was built directly on patient encounters each scan a billable report, and a data asset.”

    THE CONSENT THAT WAS NEVER GIVEN

    Informed consent in healthcare is not a bureaucratic formality. It is a constitutional right. Article 31 of the Constitution of Kenya guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed, and the right to have the privacy of their communications respected.

    The Data Protection Act gives teeth to this right in the digital context, establishing specific obligations on data controllers and processors, including the requirement for lawful basis for processing, purpose limitation, and explicit consent for sensitive personal data.

    Medical imaging data is among the most sensitive categories of personal information that exists. An X-ray, CT scan, or MRI reveals not just the presenting condition but potentially: reproductive health status, pregnancy, evidence of prior surgeries, signs of chronic or degenerative disease, potential genetic conditions, and markers of lifestyle that may be used for insurance or employment discrimination. DICOM files are particularly rich: the metadata embedded in each file can include patient identifiers, referring physician details, and scan parameters that may assist re-identification even if names are stripped.

    The patients who used Rology’s platform through their public health facilities consented to a diagnostic scan. Full stop. They consented to their image being interpreted and a report being returned to their doctor. They did not consent to that image leaving Kenya. They did not consent to it being processed on Egyptian cloud infrastructure. They did not consent to it being interpreted by radiologists whose location, identity, and Kenyan licencing status were not disclosed to them. They did not consent to it being used as training data for commercial AI tools sold globally. They did not consent to its indefinite retention in a foreign jurisdiction.

    The absence of consent for these secondary uses is not a minor procedural lapse. It is a fundamental violation of patients’ constitutional rights. The KMPDC had made this explicit in its December 2024 directive: data handler registration was mandatory by March 31, 2025, and the failure to obtain it would render processing of health data unlawful. Rology either ignored this directive or chose to continue operations in the knowledge that it was not compliant. The KMPDC, which issued the directive, took no visible enforcement action against Rology until the court forced its hand.

    The court’s costs order against the KMPDC in the judgment is a quiet but pointed rebuke of an institution that put patient safety at risk through inaction.

    THE DATA IN CAIRO: WHAT COULD GO WRONG

    The suspension of Rology’s Kenyan operations does not retrieve the data. More than 60,000 patient records DICOM imaging files and associated clinical histories remain in Egyptian-controlled cloud infrastructure. They will remain there unless and until Rology is compelled to delete them, confirms their deletion, and that deletion is independently verified. None of these conditions has yet been met. The Kenyan state has no jurisdiction over Egyptian servers. The ODPC has no enforcement reach into Cairo. Affected patients have no practical mechanism to demand deletion, correction, or access to their own records in a foreign jurisdiction.

    This creates a cascade of ongoing and escalating risks that do not diminish simply because the company’s Kenyan operations have been suspended.

    The first and most immediate risk is cybersecurity. Teleradiology platforms are among the most targeted categories of healthcare infrastructure in the global ransomware economy. Medical imaging data is extraordinarily valuable: it cannot be changed, it contains highly sensitive personal information, and healthcare organisations under ransomware pressure have historically paid. The experience of radiology providers globally is instructive and alarming. Eastern Radiologists in North Carolina suffered a network intrusion in November 2023 that exposed the protected health information of 886,746 patients, including Social Security numbers, insurance information, and imaging results; the resulting class action settlement reached USD 3.25 million.

    East River Medical Imaging in New York suffered a breach in 2023 affecting 605,809 individuals, settling for USD 1.85 million. Consulting Radiologists in Minnesota suffered a network intrusion in February 2024 affecting nearly 584,000 people, settling for USD 2.2 million.

    In each case, stolen data included medical histories, diagnoses, imaging results, and financial information. In each case, that data was published on the dark web, placing affected individuals at risk of identity theft, insurance fraud, and targeted scams for years.

    For Kenyan patients whose data sits on Rology’s servers, the risk is structurally similar but the recourse is structurally worse. American patients whose data was breached could file class actions in federal court, benefit from mandatory HHS breach notification requirements, and receive credit monitoring paid for by the settling defendants.

    Kenyan patients whose data is breached from a Cairo-based company’s servers face a different reality: enforcement requires international legal cooperation, the company’s jurisdiction is Egyptian, and practical recourse for individual patients is close to nil.

    The second risk is re-identification. The healthcare and technology research community has extensively documented that supposedly de-identified medical imaging data is far more re-identifiable than commonly assumed. DICOM files carry embedded metadata that can survive imperfect anonymisation. Medical images themselves particularly CT scans and MRIs contain unique anatomical features, body markers, implant signatures, and structural characteristics that sophisticated AI systems can use to re-link supposedly anonymous scans to specific individuals. Research published in leading radiology journals has confirmed that pixel-level patterns in medical images can be exploited through inference attacks conducted by third parties, revealing patient anatomy, demographics, and vendor-specific features.

    The combination of de-identified imaging data with other available information including from prior data breaches, commercial data brokers, or social media can permit re-identification of individuals who believed their privacy was protected.

    Once a patient is re-identified from their medical imaging data, the exposure is total. Diagnoses of cancer, HIV, tuberculosis, reproductive conditions, mental health indicators, chronic disease, addiction, and physical trauma are all potentially inferable from imaging data. This information is extraordinarily valuable to insurance companies seeking to deny coverage, to employers engaged in unlawful discrimination, to blackmailers, and to identity thieves. Healthcare data commands among the highest per-record prices on illicit markets precisely because it is uniquely sensitive and practically immutable.

    The third risk is secondary commercial use. Rology’s AI tools were trained on radiology data. The company has launched eight AI products now marketed globally. There is no public disclosure of what proportion of the training data for these tools originated from Kenyan patients, under what governance framework that data was used, whether any retention or use limitations were imposed, or whether deletion of Kenyan patient data from AI training datasets an extraordinarily difficult technical undertaking is even possible at this stage. If Kenyan patients’ scans were used to train commercially deployed AI tools, those patients became unconsenting contributors to a commercial product generating revenue across thirteen countries, with no benefit flowing back to them.

    The fourth risk is governmental access. Egypt’s legal framework for government access to data held by domestic entities differs materially from Kenya’s. Egyptian authorities may, under applicable Egyptian law, access data held by Egyptian companies on Egyptian or Egyptian-controlled servers. There is no guarantee that Kenyan patients’ health data would be protected from such access. Kenyan law has no jurisdictional reach over such requests or disclosures.

    “Healthcare data commands the highest per-record prices on illicit markets because it is uniquely sensitive and practically immutable. These patients have no practical recourse.”

    A GLOBAL PATTERN KENYA IGNORED

    Kenya is not the first country to confront a foreign AI company using patient imaging data without adequate consent or governance. The pattern is global, and the warning signs were visible long before Rology’s Kenyan operations became the subject of litigation.

    In Australia, the country’s largest diagnostic imaging provider, I-MED Radiology Network, shared patient chest X-rays, CT scans, and associated reports with health technology firm Harrison.ai to train an AI diagnostic tool later marketed as Annalise.ai. I-MED shared a dataset that reports described as containing fewer than thirty million images. Patients were not informed, and no consent was sought. The Office of the Australian Information Commissioner opened preliminary inquiries in 2024. I-MED claimed the data had been de-identified; Harrison.ai distanced itself from responsibility, asserting that compliance was I-MED’s obligation. The OAIC ultimately concluded its inquiries without adverse finding, determining that the de-identification was sufficient. The episode nonetheless exposed a fundamental tension at the heart of AI healthcare development: patients generate the data; companies capture the value; patients are the last to know.

    In the United States, a teleradiology company called The Radiology Group was required to pay USD 3.1 million to the federal government after a Department of Justice investigation found it had fraudulently billed Medicare and Medicaid for radiology services purportedly performed by US-based radiologists when the actual interpretations had been produced by contractors in India who were not permitted to practice medicine in the United States. American radiologists had simply rubber-stamped reports prepared offshore. The settlement directly echoes the accountability gap at the heart of the Rology Kenya case: patients and payers were told one thing; a different and less accountable arrangement operated in practice.

    In Kenya itself, the anxiety over foreign custody of health data had already surfaced at the highest political levels. In December 2025 just months before the Rology ruling the High Court suspended key components of a USD 1.6 billion to 2.5 billion health cooperation framework signed between Kenya and the United States, after civil society petitioners argued it posed risks to Kenyans’ medical data and national sovereignty. Justice Bahati Mwamuye issued conservatory orders preventing the operationalisation of any provisions that “provide for or facilitate the transfer, sharing or dissemination of medical, epidemiological or sensitive personal health data.” The court was saying, with considerable clarity, that Kenya’s health data sovereignty was non-negotiable even in transactions with allied sovereign governments. That same principle applied, with equal force, to a Cairo-based AI startup. The regulatory system simply failed to apply it.

    THREE INSTITUTIONS THAT LOOKED AWAY

    The Rology scandal is, at its core, a story of institutional failure. The company did not operate covertly. It signed contracts with public health facilities. It pitched its services to counties and hospitals. It published marketing materials naming Kenyan partnerships. It submitted evidence to a court about its scale and growth. It was not invisible. It was simply not being watched by the people whose job it was to watch.

    The Kenya Medical Practitioners and Dentists Council issued its data handler certification directive in December 2024 and made the March 31, 2025 deadline explicit. The penalties for non-compliance were clear: fines of up to KSh 5 million or 1 percent of annual turnover. There is no public record of any KMPDC enforcement action against Rology before the court ruling. The institution whose directive Rology was violating did not act. The costs order against the KMPDC in Justice Nyaudi’s judgment reflects the court’s assessment that the council bore responsibility for the environment in which this occurred.

    The Office of the Data Protection Commissioner had, by March 2026, handled over 9,000 complaints and issued enforcement notices and compensation orders in other sectors. It fined Nairobi Hospital for the unlawful use of a patient’s image in advertising materials. It pursued a credit company for sending unsolicited marketing messages. These are genuine enforcement actions on genuine violations. But the ODPC issued no enforcement notice against an operator that was processing the sensitive medical imaging data of over 60,000 Kenyans without registration as a data controller, without an ODPC certificate, and while conducting systematic cross-border data transfers in violation of Section 48 of the Data Protection Act. A company fined for using one patient photograph in an advertisement; a company transferring tens of thousands of patients’ CT scans to Egypt: one attracted enforcement action; the other did not.

    The Digital Health Agency, established precisely to ensure data security and govern health data portability and exchange systems, produced no publicly available audit, statement, or regulatory intervention regarding Rology’s operations prior to the court ruling. Its mandate existed. It did not exercise it.

    Into this regulatory vacuum, a private professional association the Kenya Association of Radiologists jfiled a petition at its own expense and pursued it to judgment. The KAR and its officials, led by Dr Gladys Mwango, Dr Brian Bwombuna, Dr Felister Wangari, and Dr Leonard Gikera, and represented by Conrad Law Advocates LLP, did what three government institutions with statutory mandates failed to do. The irony of that inversion a professional guild doing the work of state regulators should not pass without remark.

    THE INVESTORS WHO FUNDED NON-COMPLIANCE

    The December 2025 funding round that Rology closed was not the backing of a fringe operator. The Philips Foundation is the philanthropic arm of one of the world’s largest medical technology companies, with a stated mission of improving access to quality healthcare. Johnson & Johnson Impact Ventures is the impact investing vehicle of the largest healthcare conglomerate on earth. The Sanofi Global Health Unit’s Impact Fund is backed by one of the world’s largest pharmaceutical companies. MIT Solve Innovation Future is associated with one of the world’s most respected research universities. These are not investors without the resources, expertise, or institutional capability to conduct due diligence on regulatory compliance in a specific market they cited as a growth engine.

    Rology’s December 2025 press materials explicitly cited Kenya as a growth market. The round was raised to “support its expansion in the Middle East and Africa” and “widen access to faster diagnostics in low- and middle-income countries.” Kenya was the proof point, the operational example, the demonstration of impact. The investors who validated Rology’s growth narrative in December 2025 were, at that moment, less than three months from a court ruling that would find the operations they had funded to be in comprehensive violation of Kenyan law.

    What due diligence was performed on Rology’s data protection registration status in Kenya? What due diligence was performed on whether interpreting radiologists held valid Kenyan licences? What due diligence was performed on the governance framework for cross-border patient data transfers? These are not arcane questions. They are the foundational compliance questions that any responsible investor in a healthcare platform operating in a regulated jurisdiction should be asking before committing capital. They remain, for now, unanswered. These investors owe the public a full account.

    THE RECKONING THAT IS NOW REQUIRED

    The court has ruled. Rology’s Kenyan operations are suspended. But the ruling closes a chapter that should not have opened; it does not resolve the consequences that are already in motion.

    The Office of the Data Protection Commissioner must open a formal, urgent investigation into every aspect of Rology’s data operations in Kenya: what data was collected, how it was processed, where it was stored, to whom it was transferred, on what legal basis, what it was used for beyond the immediate diagnostic purpose, whether it was incorporated into AI training datasets, and whether any deletion or security protocols were implemented when operations were suspended. This investigation must have forensic rigour, not the procedural caution that characterised the ODPC’s pre-ruling inaction.

    The Digital Health Agency must audit every public health facility that connected to Rology’s platform and produce a public account of the data that left those facilities, the legal basis on which it was transferred, and the current status of that data in Rology’s infrastructure. The results must be published. Affected counties and facilities must be named.

    Digital Health Agency CEO Eng.Antony Lenaiyara

    The KMPDC must account publicly for why its March 2025 compliance directive produced no enforcement action against Rology. The institution that issued the rules must explain why it did not enforce them.

    Rology’s investors; Philips Foundation, Johnson & Johnson Impact Ventures, Sanofi, and MIT Solve — must each issue public statements describing the due diligence they conducted on regulatory compliance, data protection, and patient consent frameworks in Kenya before committing capital. The silence of global health investors when their portfolio companies are found to have processed tens of thousands of patients’ health records unlawfully is not a neutral position.

    Most urgently, the sixty thousand-plus Kenyan patients whose data is in Egyptian custody must be informed. They must be told what data was taken, where it sits, what it was used for, what risks they face, and what steps are being taken to protect them. This notification should not wait for litigation or regulatory proceedings to conclude. It should happen now.

    Kenya must also urgently accelerate the legislative and regulatory architecture that the Rology case exposed as insufficient. The Artificial Intelligence Bill 2026 must include binding provisions for high-risk healthcare AI applications, including mandatory registration, impact assessments, human oversight requirements, and explicit consent frameworks for secondary use of medical data. Cross-border health data transfers must be treated with the seriousness of critical national security infrastructure, not as an afterthought in investor pitch decks.

    “These 60,000 patients did not sign up to become data points in a foreign AI pipeline. They went to a clinic for a scan. The system that was supposed to protect them failed at every level.”

    WHAT ROLOGY DOES NOT WANT YOU TO KNOW

    Rology has deployed, in its public communications, a set of claims that warrant direct scrutiny in the light of the court’s findings.

    The company claims FDA clearance validates its platform’s safety and legality. This is materially misleading. The FDA 510(k) clearance K231385, granted in October 2023, covers the platform as a Class II medical image management and processing system. It addresses the technical functionality of the platform image acquisition, encryption, transmission, and display. It does not confer any authorisation to operate medical services in Kenya. It does not address compliance with Kenya’s Data Protection Act. It does not constitute a licence to process Kenyan patients’ personal health data without their consent. The FDA clearance and Rology’s Kenyan legal obligations are entirely separate matters, and the company’s suggestion that one validates the other is false.

    The company claims its platform disclaims responsibility for diagnostic accuracy. This liability escape is among the most troubling features of its model. Rology marketed accuracy rates as high as 99.89 percent while simultaneously, reportedly, disclaiming responsibility for the accuracy of medical reports generated through the platform. A patient who suffered harm from a misdiagnosis or delayed diagnosis on the Rology platform would have faced a fractured accountability chain: a foreign parent company, global radiologists whose jurisdictional status is unclear, local validators, and AI outputs sheltered by pre-emptive liability shields. This is not a legitimate model for the practice of medicine.

    The company claims it addressed radiologist shortages and expanded healthcare access. This argument has genuine merit as a description of need; it has no merit as a justification for operating outside the law. The shortage of radiologists in Kenya is real. The consequences of that shortage delayed diagnoses, missed cancers, undertreated conditions are genuinely severe. But those consequences cannot justify a company processing Kenyan patients’ most intimate health information without consent, without registration, without oversight, and in violation of the data sovereignty framework Kenya’s legislature and courts have established. Access without accountability is exploitation by another name.

    The company claims it served public health facilities and therefore served public interest. What this framing conceals is the commercial reality: Rology was not operating a charity. It was a venture-backed startup that grew 223 percent in gross revenues in a single year in Kenya alone. The public facilities it served became, on this model, channels for extracting commercial value from Kenya’s most vulnerable patients. The rural patient in Kisii who went for an X-ray did not receive a subsidised service. They provided, without knowing it, commercial raw material for a Cairo startup’s AI development pipeline.

    THE CLOCK STILL RUNNING

    The data has already left. More than 60,000 Kenyans disproportionately from public health facilities, disproportionately from lower-income communities with the least capacity to assert rights or seek redres had their most sensitive medical information extracted, transferred across borders, and processed outside any framework they consented to or that Kenya’s law authorised. Some of them may have cancers detected in those scans. Some may have TB or HIV diagnoses inferable from their imaging. Some may have reproductive health conditions. Some may be identifiable from their anatomical features alone. None of them know their data is in Cairo. None of them can easily get it back.

    Rology will likely appeal the suspension. The company has infrastructure, investors, and a global network. It is not going quietly. Its legal team will argue that its local affiliate is a duly incorporated Kenyan company, that its platform provides genuine healthcare benefits, that its AI tools meet international standards, and that the regulatory framework it was operating in was unclear. Some of these arguments have surface plausibility. None of them addresses the foundational fact that the company processed the health data of 60,000 Kenyans without legal authorisation and without the consent of the patients whose bodies it digitised.

    The pattern of what happened in Kenya is not unique to Rology and not unique to Africa. Global AI companies, backed by global investors, are systematically mining health data from low-and-middle-income country populationspopulations with less regulatory capacity to resist, less legal infrastructure to pursue redress, and less political power to compel accountability. The data flows from the Global South to corporate servers in Cairo, Riyadh, Tel Aviv, and San Francisco. The AI tools trained on that data are sold back to the same markets at prices those populations struggle to afford. The patients who generated the value receive nothing. The investors who funded the extraction are celebrated at Davos.

    Kenya has a functioning data protection law, a Constitutional Bill of Rights, and courts willing to enforce them. Those instruments worked here, eventually, thanks to the persistence of a professional association that was willing to spend its own resources fighting what the state would not. The question now is whether the state will finish what the courts started: whether the ODPC, the Digital Health Agency, the KMPDC, and the Ministry of Health will treat this ruling as a mandate for genuine reckoning, or whether they will allow it to pass as an administrative footnote while the clock on 60,000 Kenyans’ privacy runs out in silence.

    The bodies have been digitised. The scans are in Cairo. And the accountability, at long last, must follow them there.

  • Your Medical Records Were Wide Open: How Three Digital Lenders Hacked the Heart of Kenya’s Health System and the DHA Chief Who Looked Away

    Your Medical Records Were Wide Open: How Three Digital Lenders Hacked the Heart of Kenya’s Health System and the DHA Chief Who Looked Away

    The messages arrived in a sequence that would alarm any person who understands what the Social Health Authority database contains. First came a screenshot of a complete SHA member profile, name, date of birth, national identification number, medical coverage status, OTP whitelisting controls, and a live button that the sender could press to refresh the member’s records directly from the AfyaYangu system. Then came the employer details of a relative. Then came the confirmation, in plain WhatsApp text, that the person sending all of this was a debt collector working for a licensed digital lending company.

    “Raha pesa is still pending,” the collector wrote. “There are so many ways of killing a rat, buddy.” Attached to the threat was a screenshot pulled live from within the SHA system, complete with the borrower’s SHA registration number, date of birth, and a functional interface button reading: Refresh Member and Dependants From AfyaYangu. Another button read: Request OTP Whitelisting for Member.

    This was not a leak. This was not a historical dump sold on a dark web forum. This was a live, active, real-time breach of a government health database, wielded as a debt collection weapon against a Kenyan citizen whose only offence was falling behind on a seven-day mobile loan worth a few thousand shillings.

    Kenya Insights has seen the complaint letter, WhatsApp transcripts, SMS records, and photographic evidence establishing that agents and employees of at least three digital lending companies, namely Payablu Credit Limited trading as Tuma Cash, Loan Plus Digital Credit Provider Limited trading as DG Loan, and Gotway Limited trading as Tena Pesa, had functional, logged-in access to the SHA member database in April 2026.

    The evidence shows that agents used this access to extract and weaponise the health, employment, and biographical information of borrowers and their family members during debt recovery operations.

    The evidence also shows that a written complaint documenting all of this was sent by email to the office of Eng. Anthony Lenaiyara, the Acting Chief Executive Officer of the Digital Health Agency, as far back as April 15, 2026. He has not responded. He has not acted. He has not acknowledged. The SHA system remained open.

    Inside the Breach: What the Loan Agents Could See

    The SHA database, managed operationally by the Digital Health Agency through its Comprehensive Integrated Health Information System and the public-facing AfyaYangu platform, holds the registration records of every Kenyan who has enrolled in the Social Health Insurance Fund since it opened in October 2024. As of April 2026, that figure exceeded 30 million registered members.

    The records stored in the system include full legal names, national identification numbers, dates of birth, SHA customer registration numbers, employer details, coverage periods, dependent relationships, medical history accessible through the health information exchange, and OTP management controls that govern a member’s access to health services.

    The screenshots reviewed by Kenya Insights show debt collection agents operating what appears to be an internal or third-party interface connected directly to the SHA backend.

    On one screen, a complete SHA member profile is displayed with active function buttons.

    The interface is not a static screenshot downloaded from a public page. It is a live panel with interactive controls, including a green button to refresh the member’s records from AfyaYangu in real time and an orange button to request OTP whitelisting, a function that modifies a member’s actual SHA account settings. The agent who sent these screenshots to a borrower described themselves, when confronted directly, as working for Tena Pesa.

    A second set of screenshots, from a separate agent operating from a different number, shows the SHA record of the borrower’s brother, including the brother’s name, employer identification, insurance policy period, and relationship status within the SHA system.

    The employer in question has been identified as a leading communications marketing firm in Nairobi. It was pulled directly from the SHA database, where the brother’s SHA contributory employer was recorded.

    The same agent then threatened to send correspondence to the official email addresses and phone numbers of the marketing , information also sourced, they confirmed, from within the SHA system.

    When asked directly how they had access to SHA and the wider Universal Health Coverage system, the agent responded casually: “Let me do it. Tupate pesa. Then I tell you more about it. Am very idle. I got lot of time to explain.” The agent later confirmed, unprompted, that this access is used against multiple borrowers. “You are not the first person,” the agent told the borrower.

    A third agent, using a WhatsApp number with the display name MODERATE, sent a stream of messages containing the borrower’s employer details sourced from the SHA system, repeated six times in succession, before issuing a tirade demanding loan repayment. The same shortcode channel sent messages containing details that could only have originated from the SHA database.

    The Companies: Who Are Tuma Cash, DG Loan, and Tena Pesa?

    Payablu Credit Limited, the company behind the Tuma Cash lending application, is registered in Kenya and offers short-term mobile loans typically repayable within seven days.

    Loan Plus Digital Credit Provider Limited, operating the DG Loan application, markets itself on the Apple App Store as a fast, secure, and fully licensed lender offering loans of up to Ksh 900,000 at stated APRs of between 12 and 36 percent.

    Its developer privacy disclosures on the App Store acknowledge that the application collects location data, contact information, identifiers, and usage data, and that this data may be used to track users across other apps and websites.

    Gotway Limited operates Tena Pesa, a third mobile lending application with a similar seven-day product structure.

    All three companies entered the market by offering instant, paperless loans disbursed directly to M-Pesa. All three required, as a condition of loan disbursement, access to a borrower’s phone data including contacts, a practice that has long served as the foundation for the harassment-by-contacts model that Kenyan regulators have spent years attempting to suppress.

    What distinguishes this case from ordinary digital lending harassment, however, is not the contact harvesting. It is the apparent integration with, or infiltration of, a government health database.

    The critical question is not only how these companies obtained access to SHA records, but whether that access was granted officially, procured through a rogue employee or contractor within the Digital Health Agency or SHA, or achieved through an API vulnerability that nobody in government has yet acknowledged. None of the three companies responded to questions sent by Kenya Insights prior to publication.

    The Warning That Went Nowhere: DHA’s Deafening Silence

    On April 13, 2026, a Nairobi resident who had been subjected to the attacks prepared a formal complaint letter addressed to three senior officials: Mr. Mohamed I. Amin, Director of Criminal Investigations; Eng. Anthony Lenaiyara, Acting CEO of the Digital Health Agency; and Dr. Kamau Thugge, Governor of the Central Bank of Kenya.

    The letter, which Kenya Insights has reviewed in full, described in methodical detail the specific companies involved, the nature of the access, the personal data that had been extracted, and the legal provisions it violated. It attached evidence and invoked Section 16 of the Access to Information Act 2016.

    On April 15, 2026, the complainant sent a follow-up email directly to the CEO Office of the Digital Health Agency, attaching the full complaint letter and marking it urgent.

    The subject line was clear: Sha Data Breach Complaint. The email named Payablu Credit, Loan Plus Digital Credit, and Gotway Limited explicitly. It described the live, ongoing nature of the breach and asked that it be contained immediately. It noted that over 30 million Kenyans had been exposed.

    Six weeks have passed. Eng. Lenaiyara has not responded. The DHA has issued no public statement about the breach. The SHA system, as far as any available public evidence indicates, has not been secured against this specific form of access. No arrest has been made. No company has been sanctioned. No investigation has been publicly announced.

    The irony is difficult to overstate.

    In December 2025, Eng. Lenaiyara told the media that the AfyaYangu platform is anchored under the Digital Health Act 15 of 2023 and that legal provisions exist to safeguard against risks around sensitive medical records.

    In June 2025, he stood beside Cabinet Secretary Aden Duale at Afya House to announce that digital transformation is the backbone of an efficient and transparent healthcare system.

    Just weeks before the SHA email arrived in his office, his agency was still issuing press statements boasting about portability of patient data across health facilities. The patient data was portable, indeed. Portable straight into the hands of a debt collector at a Nairobi loan app.

    The Digital Health Information Management Procedures Regulations of 2025, promulgated by the DHA’s own parent framework, require any health data controller to notify the CEO of the DHA within 48 hours of becoming aware of a data breach.

    They require a full incident report within 72 hours.

    They require implementation of an Incident Response Plan. Eng. Lenaiyara’s office was the recipient of the notification. His office is also, under the same framework, the body legally required to act on it. He received the complaint. He did nothing.

    A System Already Bleeding: SHA’s Catastrophic Security Record

    The data breach documented in this investigation does not exist in isolation.

    It is the latest wound on a health system that has bled consistently since SHA began operations in October 2024.

    The Auditor-General’s office has flagged Ksh 50 billion in unsupported, irregular, or untraced payments from the Social Health Insurance Fund in the year ending June 2025.

    Within that sum, Ksh 7.3 billion that SHIF reported transferring to SHA is not reflected in SHA’s own accounts. The money has simply vanished. A further Ksh 4.78 billion was disbursed using service codes that have never been gazetted. The system that was supposed to end the corruption of NHIF has thus far produced a scandal of staggering proportions.

    In October 2025, a catastrophic data breach struck M-TIBA, a Safaricom-backed mobile health platform.

    A threat actor known as Kazu claimed to have stolen 2.15 terabytes of health data covering up to 4.8 million users, including medical diagnoses, billing records, national identification numbers, and clinical visit histories from approximately 700 health facilities.

    The breach was advertised on dark web forums, with a 2 gigabyte sample offered as proof of access. The Office of the Data Protection Commissioner launched an investigation. No prosecution has been publicly confirmed to date.

    Then in March 2026, SHA’s own digital platform suffered what it described as a critical system failure, taking down pre-authorisation services across contracted health facilities nationwide for days.

    SHA CEO Dr. Mercy Mwangangi issued a public notice but offered no technical explanation of the failure’s origin.

    The pattern is consistent: a system of extraordinary national sensitivity, holding the health and biometric data of tens of millions of Kenyans, suffering repeated crises, with no accountability and no forensic transparency.

    Between April and June 2025, the Communications Authority of Kenya recorded more than 4.6 billion cyberattacks against Kenyan digital infrastructure, an 80 percent increase from the previous quarter.

    Kenya’s digital health systems are being built faster than they are being secured.

    The SHA database, containing 30 million members’ medical and biographical records, sits at the intersection of every vulnerability in that ecosystem.

    The Wider Scandal: An Industry Built on Stolen Data

    The digital lending industry’s relationship with data it has no right to possess is not a new story in Kenya.

    By early 2025, the Office of the Data Protection Commissioner had received more than 4,000 complaints from Kenyans alleging that digital lenders had misused their personal data. Of those, only a fraction resulted in formal investigations.

    The ODPC has signalled that it will audit at least 40 digital lenders for data breaches, but enforcement has been characterised by legal experts as slow and administratively thin against an industry that moves at the speed of a WhatsApp message.

    What makes the SHA breach qualitatively different from the known offences of the digital lending sector is the nature of the data being accessed. When a loan app harvests your contacts and calls your mother, it is committing an offence under the Computer Misuse and Cybercrimes Act and the Data Protection Act.

    When a loan app is operating inside the government’s national health database, refreshing your medical records in real time, viewing your coverage details, accessing your employer’s information from your SHA registration, and threatening to weaponise that information unless you pay a loan, it has crossed into territory that the complaint letter accurately describes as a national security matter.

    The agent who identified as working for Tena Pesa did not merely boast of having access. They confirmed, without any apparent concern about legal consequences, that this was routine. “You are not the first person,” they said.

    That statement implies an established practice, a business model that incorporates unauthorised health data access as a standard tool of debt recovery.

    The question for investigators is therefore not only how many borrowers of Tuma Cash, DG Loan, and Tena Pesa have had their SHA records accessed and weaponised, but whether other digital lenders operating in Kenya have found the same door open.

    The Business Laws (Amendment) Act, 2024, which took effect on January 1, 2025, elevated harassment by digital lenders from an administrative infraction to a criminal offence.

    The CBK Digital Credit Providers Regulations 2022 explicitly prohibit contacting third parties, including family members and employers, without prior consent.

    The Computer Misuse and Cybercrimes Act 2018 criminalises unlawful access to computer data under Section 5 and computer fraud under Section 26. The Penal Code provides for prosecution under handling stolen goods at Section 322 and conspiracy at Section 393.

    The Data Protection Act authorises the ODPC to impose fines of up to Ksh 5 million or two percent of annual turnover, whichever is higher.

    The law is comprehensive. The evidence is documented. The complaint was filed. The agency responsible for security was formally notified. Nothing happened.

    Questions That Demand Immediate Answers

    Kenya Insights sent questions to the Digital Health Agency, the Social Health Authority, the Office of the Data Protection Commissioner, the Directorate of Criminal Investigations, and the three companies named in this investigation: Payablu Credit Limited, Loan Plus Digital Credit Provider Limited, and Gotway Limited. At the time of publication, none had responded.

    The questions that require urgent public answers are these: How did employees or agents of these three digital lending companies obtain what appears to be live, interactive access to the SHA member database? Was this access granted through a formal integration, procured through a corrupt insider within the DHA or SHA, or achieved through an unpatched vulnerability in the system architecture? How many Kenyan borrowers across all digital lenders have had their SHA records accessed without their knowledge or consent? What disciplinary or criminal action is being taken against the named companies, their directors, and their agents? And why has Eng. Anthony Lenaiyara, the Acting CEO of the Digital Health Agency, failed to respond to a formal breach notification submitted to his office six weeks ago?

    Eng. Lenaiyara has been publicly articulate about the promise of digital health in Kenya. He has spoken at international forums, briefed parliamentary committees, and championed the AfyaYangu platform as a transformative tool. But a system that stores the medical history of 30 million Kenyans is only as valuable as its security, and a regulator is only as credible as his willingness to act when the system fails. The evidence presented in this investigation suggests that, on both counts, the Digital Health Agency has failed catastrophically.

    What Must Happen Now

    The DCI must immediately investigate Payablu Credit Limited, Loan Plus Digital Credit Provider Limited, and Gotway Limited for offences under the Computer Misuse and Cybercrimes Act, the Data Protection Act, the Penal Code, and the Anti-Money Laundering and Combating of Terrorism Financing Act.

    The investigation must include a full forensic audit of how these companies obtained SHA system access, who within the government or the technology supply chain facilitated that access, and how many individuals have been affected.

    The ODPC must immediately audit all licensed and unlicensed digital lenders for SHA system access and impose emergency enforcement measures against those found to be operating in the database. The CBK must suspend or revoke the licenses of the named companies pending investigation. The Ethics and Anti-Corruption Commission must examine whether any official within the DHA or SHA enabled or facilitated this access.

    And Cabinet Secretary Aden Duale, who has championed digital transformation at SHA with great political energy, must now answer for the man he appointed to guard it. Eng. Anthony Lenaiyara received a written, documented, evidence-backed breach notification six weeks ago. He is still in his office. The SHA database is still running. The companies that accessed it have not been charged.

    The health records of 30 million Kenyans were not an abstraction. They were a weapon. And someone in government left the armoury unlocked.