Questions are growing over the safety of private medical records under the Social Health Authority (SHA) after a Nairobi man discovered treatment records in his account for services he says he never received.
Obed Oruki was surprised to find that his SHA portal showed he had been treated for a urinary tract infection at a health facility in Garissa County on May 6, 2026, at exactly 7:16 a.m. At that time, he says, he was in his office in Nairobi working and had never traveled to Garissa.
Obed explained that he decided to check his SHA account out of curiosity after watching discussions online about possible problems in digital systems. What he found left him confused and concerned.
At first, he thought it might be a mistake and refreshed the page. However, the same information appeared again. He then checked the medical history section and realized something was seriously wrong.
Obed says he has private medical insurance and has never used his SHA cover before.
Despite this, the records showed that someone had undergone medical assessment using his details.
The system indicated that the account had first been accessed at midnight. A few hours later, patient vital signs were entered, followed by a diagnosis and prescription. The false records showed he had been diagnosed with a urinary tract infection and prescribed Cefixime 400 milligrams for five days and Paracetamol 500 milligrams.While many Kenyans online joked about the unusual diagnosis, Obed says his main concern is the possibility that someone could access his account and make medical decisions using his identity.
He worries that such false records could remain in the system for years and possibly affect him in the future.
Citizen TV traced the service provider number listed in the records and found that it belonged to Hagardul Dispensary, a government-owned Level Two health facility in Dertu Ward, Dadaab Sub-County, Garissa County.
An individual identified as Idle Kusow Hassan was listed as the person who made the entries. However, Citizen TV could not confirm whether the person works at the facility or what role they hold. Attempts to reach the dispensary for comment were unsuccessful.
Obed also noted that he never received any OTP notification before the suspicious access, although he did receive one when he later logged into his own account.
This made him suspect that the breach may have involved someone with internal access.
Digital Health Authority Chief Executive Officer Anthony Lenayara said member information is protected through strong authentication and consent systems. However, he added that they had not yet received enough details about this specific case to fully verify the claims.
