National Health Insurance Fund (NHIF) has been found liable for violating a member’s privacy rights after mistakenly enrolling unknown individuals as beneficiaries and removing the member’s spouse from his medical cover. The Office of the Data Protection Commissioner (ODPC) ruled that NHIF failed to meet its legal obligations under the Data Protection Act, 2019, and issued an enforcement notice demanding corrective action.
In a determination released by the Data Commissioner Immaculate Kassait, NHIF was ruled to have infringed upon the privacy rights of one of its members, Simon Mukabane Okwomi, by erroneously adding six unrelated individuals to his insurance cover and removing his lawful spouse. The ruling followed an investigation by the ODPC after Okwomi lodged a complaint in September 2023, accusing NHIF of failing to correct the error despite repeated requests.
The case revolved around Okwomi’s discovery that unknown beneficiaries had been added to his NHIF card, rendering his wife unable to access medical services under his cover. In his complaint, Okwomi stated that NHIF refused to rectify the problem, forcing him to pay out-of-pocket for his wife’s medical treatment. He demanded an immediate correction of the names listed under his insurance plan and sought compensation for the financial impact.
NHIF, in its defense, admitted that a system error led to the erroneous addition of the beneficiaries but insisted that none of the unrelated individuals had accessed medical benefits. However, NHIF was unable to provide substantial evidence to prove that the incorrect beneficiaries had been removed or that the issue had been resolved, prompting further scrutiny from the Data Commissioner.
The Commissioner’s investigation highlighted flaws in NHIF’s data management systems, notably a lack of validation controls that allowed incorrect data to be added without proper verification. NHIF’s internal systems failed to require the double-checking of member ID numbers when updating beneficiaries, which ultimately led to the incorrect entries. This lapse, according to the Commissioner, demonstrated NHIF’s failure to comply with Section 25 of the Data Protection Act, which mandates accuracy and timely rectification of personal data.
“The respondent’s systems do not comply with the provisions of the Act to incorporate data protection by design and by default,” Kassait’s determination read, underscoring NHIF’s obligation to adhere to data protection principles when handling sensitive personal information.
As a remedy, the Commissioner issued an enforcement notice compelling NHIF to correct Okwomi’s beneficiary list and implement stricter safeguards in its data processing systems to prevent similar incidents. The ruling emphasized the importance of protecting personal data and ensuring that state agencies like NHIF adhere to their legal responsibilities under the Data Protection Act.
Despite the ruling in Okwomi’s favor, his request for financial compensation was denied. The Commissioner noted that while Okwomi claimed to have incurred out-of-pocket medical expenses due to NHIF’s error, he had not provided sufficient evidence or quantified the amount spent. Consequently, no order for compensation was made.
Both parties have 30 days to appeal the decision in the High Court, though it remains unclear whether NHIF will contest the ruling.
