A Staggering Breach of Trust

A sophisticated cybercrime operation in India has exposed the profound vulnerability of sensitive patient data, after hackers stole and sold intimate footage from a maternity hospital's CCTV cameras. The incident, which came to light earlier this year, saw videos of pregnant women undergoing medical examinations circulated on YouTube and sold on the encrypted messaging app Telegram, prompting a nationwide investigation by Indian authorities. According to police in Gujarat state, the breach was part of a much larger scheme, with hackers gaining unauthorised access to an estimated 50,000 CCTV cameras in hospitals, schools, and private homes across 20 states.

The investigation by the Ahmedabad Cyber Crime Unit revealed that the perpetrators exploited weak cybersecurity measures, including the use of default passwords like "admin123" on hospital camera systems. The hackers then sold the stolen footage for fees ranging from 800 to 2,000 Indian Rupees (approximately KSh 1,200 to KSh 3,000). As of late February 2025, at least seven suspects had been arrested in connection with the racket, facing charges of privacy invasion and distributing obscene content.

Implications for Kenya's Healthcare Sector

The events in India cast a harsh light on the potential for similar security failures within Kenya's own healthcare system. As Kenyan hospitals increasingly adopt digital technologies like electronic medical records and networked medical devices, the risk of cyberattacks grows exponentially. Cybersecurity experts warn that many local healthcare institutions may be ill-prepared for such threats, often operating with outdated software and insufficient staff training on data protection protocols. A 2024 study on Kenyatta National Hospital, for instance, identified several critical vulnerabilities that could expose sensitive patient records.

The Kenyan healthcare sector is already a prime target for cybercriminals. In the first quarter of 2025, government and health institutions were the majority targets of over 3.6 million Distributed Denial-of-Service (DDoS) attacks. Furthermore, ransomware attacks against the sector saw a 95% increase in late 2024, with criminals demanding hefty ransoms to release encrypted patient data. These attacks not only compromise patient privacy but also have the potential to disrupt essential medical services and erode public trust in the digital health system.

The Legal Framework in Kenya

Kenya's legal framework for data protection is robust, but its enforcement in the face of evolving cyber threats remains a critical challenge. The Data Protection Act, 2019, which aligns closely with the EU's GDPR, governs the collection, processing, and storage of personal data. Under this Act, images and videos captured by CCTV cameras are considered personal data, and their collection requires a legitimate purpose and transparency.

Organisations using CCTV, especially for crime prevention, are considered data controllers and must register with the Office of the Data Protection Commissioner (ODPC). They are legally obligated to inform individuals that they are under surveillance through clear signage and must have appropriate security measures to protect the collected data. Failure to comply can result in severe penalties, including fines of up to KSh 5 million or 1% of an entity's annual turnover.

A May 2023 High Court ruling in *Ondieki V Maeda* reinforced these principles, finding a homeowner liable for violating a neighbour's constitutional right to privacy by installing CCTV cameras that recorded their property without consent. This precedent underscores the legal expectation of privacy, even in security contexts.

Urgent Call for Enhanced Cybersecurity

The Indian hospital hack is a critical wake-up call. It demonstrates how easily basic security oversights can be exploited with devastating consequences for patient dignity and privacy. For Kenya, it highlights the urgent need for a multi-faceted approach to securing the healthcare sector. This includes greater investment in modern, secure IT infrastructure, regular cybersecurity training for all hospital staff, and the mandatory appointment of Data Protection Officers in healthcare facilities.

Healthcare providers must conduct regular data protection impact assessments (DPIAs), especially before installing surveillance systems, to identify and mitigate risks. As the country continues its digital transformation, ensuring the integrity and confidentiality of patient data is not merely a matter of legal compliance but a fundamental requirement for maintaining trust in the healthcare system. The vulnerabilities are clear, and the time for proactive, comprehensive action is now. FURTHER INVESTIGATION REQUIRED into the specific cybersecurity readiness of individual Kenyan county and private hospitals.