How an Egyptian-Headquartered AI Medical Platform Harvested the Sensitive Health Data of Over 60,000 Kenyans — Leaving Thousands Exposed to a Mega Privacy Catastrophe in Foreign Hands

A Cairo-headquartered AI company operated for years inside Kenya’s public health system processing the bodies and medical secrets of tens of thousands of the country’s most vulnerable citizens without a single valid licence, data registration, or meaningful patient consent. The courts have now acted. But the data is already gone. This is the story of how it happened, who enabled it, and what the disaster that may yet come could look like.

THE MORNING A PATIENT’S LUNGS LEFT THE COUNTRY

The patient who walked into a public health facility in Kisii County for a chest X-ray did not know that the image of their lungs would, within minutes, leave Kenya entirely. They signed no form authorising it. They were told nothing of Egyptian cloud servers, of radiologists working from screens in Nairobi, Riyadh, or Cairo, of artificial intelligence systems ingesting their scan as raw training data. They came for a diagnosis. What they gave away, without knowing it, was far more.

Their DICOM file a digital imaging format that carries not just the scan itself but embedded metadata including patient name, date of birth, scan date, referring physician, and device identifiers was uploaded to the platform of Rology Medical Kenya Limited. From there, it transited to cloud infrastructure controlled by the company’s Egyptian parent, Rology Inc., headquartered in Cairo.

The report that came back may or may not have been produced by a radiologist holding a valid Kenyan licence. The scan itself may or may not have been used to train a proprietary artificial intelligence product now marketed across thirteen countries and sold to hospitals in the Middle East and Africa.

This patient does not know any of this. Neither, until recently, did the Kenyan public.

On or around June 12, 2026, Justice Patricia Mande Nyaudi of the Milimani Constitutional and Human Rights Division of the High Court changed that. In a ruling that should trigger a national reckoning, she ordered the immediate suspension of Rology’s Kenyan operations. The company which described itself as a revolutionary teleradiology solution expanding healthcare access to underserved Africans — was found to have operated outside the Kenya Medical Practitioners and Dentists Act, the Data Protection Act, the Digital Health Act, and the Digital Health (Data Exchange Component) Regulations 2025. The court further directed the Ministry of Health and the Kenya Medical Practitioners and Dentists Council to revoke any licences or approvals tied to the handling of patients’ portable personal health records on the platform.

The ruling was decisive. The damage, however, was already done. By Rology’s own admission to the court, its platform had served more than 60,000 Kenyan patients and supported over forty public health facilities across the country. Those patients’ X-rays, CT scans, MRIs, and associated medical histories are already in Cairo-controlled infrastructure. The court order cannot reach them there. Kenyan law cannot compel their deletion. The patients themselves have no accessible path to demand their removal, rectification, or compensation.

The privacy time bomb is not ticking. It has already detonated. The fallout is just not yet visible.

“Their X-rays, CT scans, MRIs, and medical histories are already in Cairo-controlled infrastructure. The court order cannot reach them there.”

THE COMPANY THEY DID NOT WANT KENYA TO SCRUTINISE

Rology was founded in Cairo in October 2017 by four entrepreneurs: Amr Abodraiaa, Moaaz Hossam, Mahmoud Eldefrawy, and Bassam Khallaf. Its pitch was compelling and, in the context of genuine access challenges in African and Middle Eastern healthcare systems, not without merit: a cloud-based, zero-setup teleradiology platform that matched patient scans with remote radiologists through AI-assisted intelligent matchmaking. No infrastructure investment required. No radiologist on-site needed. Just a laptop, an internet connection, and Rology’s platform.

The company positioned itself as addressing one of medicine’s most acute shortages. There are, by some estimates, fewer than one radiologist per million people across significant portions of sub-Saharan Africa. Fourteen African countries have no radiologists at all. Into this gap, Rology stepped with promises of thirty-minute turnaround times, twelve radiology sub-specialities, eight imaging modalities, and an AI system it claimed achieved 99.89 percent clinical accuracy.

The marketing was polished and the investor narrative was compelling. In October 2023, Rology secured 510(k) clearance from the United States Food and Drug Administration for its platform as a Class II medical image management and processing system. The company declared this clearance established Rology as “the world’s premier FDA-cleared on-demand and 2-sided teleradiology solution.” Its Chief Medical Officer, Mahmoud Eldefrawy, stated publicly that the clearance “emphasises our commitment to cybersecurity and regulatory adherence.” Its Chief Business Officer, Moaaz Hossam, called it “hope for countless medical providers, especially SMEs and the underserved public hospitals.”

In June 2023, Rology had already expanded into Saudi Arabia through the acquisition of Arkan United, a Jeddah-based teleradiology provider, for an undisclosed sum. By December 2025, it closed a growth funding round backed by an extraordinary roster of global health investors: the Philips Foundation, Johnson & Johnson Impact Ventures, the Sanofi Global Health Unit’s Impact Fund, and MIT Solve Innovation Future. The size of the round was not disclosed. The company said the funding would support expansion across the Middle East and Africa, with Kenya and Saudi Arabia cited as growth markets. Marketing materials released at the time highlighted the launch of eight AI tools and a network of over two hundred radiologists operating across more than thirteen countries, serving over three hundred hospitals.

What the press releases did not mention what the investors were apparently not told, or did not investigate was that Rology’s Kenyan operations were being conducted in comprehensive violation of the country’s legal framework. The company had never registered as a data controller or data processor under the Data Protection Act. It had never obtained the Certificate of Data Handler/Processor from the Office of the Data Protection Commissioner that the KMPDC had made mandatory, with a compliance deadline of March 31, 2025. Its AI platform had never been validated or certified under Kenyan law. The radiologists interpreting Kenyan patients’ scans were not verified to hold Kenyan licences. And the cross-border transfer of patients’ most sensitive health information was occurring without the explicit patient consent or adequate safeguards required by Section 48 of the Data Protection Act.

The company was not operating in a grey area. It was operating in comprehensive defiance of the rules governing every element of what it was doing.

THE ARCHITECTURE OF EXTRACTION

To understand what Rology actually built in Kenya, one must understand how its platform functions technically. Hospitals connected to Rology through a tool called Rology Connect, an automatic image acquisition system that uploads DICOM files directly from the facility’s imaging equipment to the platform. Those files — containing both the scan and the embedded metadata identifying the patient were encrypted and transmitted to Rology’s cloud infrastructure. The company’s servers, controlled from Cairo, then routed the files to available radiologists across its global network, matching cases by subspeciality and availability.

Rology told the court that reports were subsequently reviewed by licensed Kenyan radiologists before release to hospitals. The company also told the court that it had never sold patient data. But the question is not merely whether raw data was sold. The more complex and consequential questions are these: which radiologists, in which countries, reviewed Kenyan patient scans, and under what licencing authority? To what jurisdiction were those cloud servers actually subject? Were those scans used to train Rology’s eight proprietary AI tools? Were they retained after the diagnostic purpose was fulfilled? To whom, beyond the immediate interpreting radiologist, did the data become accessible? None of these questions were satisfactorily answered during proceedings.

What is known is the business result. In 2023, Rology’s Kenyan operations grew 169 percent in sales and 223 percent in gross revenues. That explosive growth was built directly on patient encounters: each scan generated a billable report and, crucially, a data asset. Each DICOM file that passed through Rology’s platform became, in a meaningful commercial sense, an input to the company’s artificial intelligence development pipeline. The AI tools Rology is now marketing across thirteen countries and positioning for global expansion were trained on radiology data. Some portion of that data came from Kenyan patients who were told they were getting a diagnostic service not that they were contributing their bodies to a foreign AI company’s commercial product development.

No benefit-sharing framework exists. No data governance agreement with the Kenyan facilities is publicly documented. No portion of the value created from Kenyan patient encounters has flowed back to those patients or to Kenya’s health system. The model is extractive by design: data flows in one direction, from Kenyan bodies to Egyptian servers, and value flows in one direction, from Kenyan encounters to a Cairo startup’s investor pitch deck.

“In 2023, Rology’s Kenyan operations grew 223% in gross revenues. That explosive growth was built directly on patient encounters each scan a billable report, and a data asset.”

THE CONSENT THAT WAS NEVER GIVEN

Informed consent in healthcare is not a bureaucratic formality. It is a constitutional right. Article 31 of the Constitution of Kenya guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed, and the right to have the privacy of their communications respected.

The Data Protection Act gives teeth to this right in the digital context, establishing specific obligations on data controllers and processors, including the requirement for lawful basis for processing, purpose limitation, and explicit consent for sensitive personal data.

Medical imaging data is among the most sensitive categories of personal information that exists. An X-ray, CT scan, or MRI reveals not just the presenting condition but potentially: reproductive health status, pregnancy, evidence of prior surgeries, signs of chronic or degenerative disease, potential genetic conditions, and markers of lifestyle that may be used for insurance or employment discrimination. DICOM files are particularly rich: the metadata embedded in each file can include patient identifiers, referring physician details, and scan parameters that may assist re-identification even if names are stripped.

The patients who used Rology’s platform through their public health facilities consented to a diagnostic scan. Full stop. They consented to their image being interpreted and a report being returned to their doctor. They did not consent to that image leaving Kenya. They did not consent to it being processed on Egyptian cloud infrastructure. They did not consent to it being interpreted by radiologists whose location, identity, and Kenyan licencing status were not disclosed to them. They did not consent to it being used as training data for commercial AI tools sold globally. They did not consent to its indefinite retention in a foreign jurisdiction.

The absence of consent for these secondary uses is not a minor procedural lapse. It is a fundamental violation of patients’ constitutional rights. The KMPDC had made this explicit in its December 2024 directive: data handler registration was mandatory by March 31, 2025, and the failure to obtain it would render processing of health data unlawful. Rology either ignored this directive or chose to continue operations in the knowledge that it was not compliant. The KMPDC, which issued the directive, took no visible enforcement action against Rology until the court forced its hand.

The court’s costs order against the KMPDC in the judgment is a quiet but pointed rebuke of an institution that put patient safety at risk through inaction.

THE DATA IN CAIRO: WHAT COULD GO WRONG

The suspension of Rology’s Kenyan operations does not retrieve the data. More than 60,000 patient records DICOM imaging files and associated clinical histories remain in Egyptian-controlled cloud infrastructure. They will remain there unless and until Rology is compelled to delete them, confirms their deletion, and that deletion is independently verified. None of these conditions has yet been met. The Kenyan state has no jurisdiction over Egyptian servers. The ODPC has no enforcement reach into Cairo. Affected patients have no practical mechanism to demand deletion, correction, or access to their own records in a foreign jurisdiction.

This creates a cascade of ongoing and escalating risks that do not diminish simply because the company’s Kenyan operations have been suspended.

The first and most immediate risk is cybersecurity. Teleradiology platforms are among the most targeted categories of healthcare infrastructure in the global ransomware economy. Medical imaging data is extraordinarily valuable: it cannot be changed, it contains highly sensitive personal information, and healthcare organisations under ransomware pressure have historically paid. The experience of radiology providers globally is instructive and alarming. Eastern Radiologists in North Carolina suffered a network intrusion in November 2023 that exposed the protected health information of 886,746 patients, including Social Security numbers, insurance information, and imaging results; the resulting class action settlement reached USD 3.25 million.

East River Medical Imaging in New York suffered a breach in 2023 affecting 605,809 individuals, settling for USD 1.85 million. Consulting Radiologists in Minnesota suffered a network intrusion in February 2024 affecting nearly 584,000 people, settling for USD 2.2 million.

In each case, stolen data included medical histories, diagnoses, imaging results, and financial information. In each case, that data was published on the dark web, placing affected individuals at risk of identity theft, insurance fraud, and targeted scams for years.

For Kenyan patients whose data sits on Rology’s servers, the risk is structurally similar but the recourse is structurally worse. American patients whose data was breached could file class actions in federal court, benefit from mandatory HHS breach notification requirements, and receive credit monitoring paid for by the settling defendants.

Kenyan patients whose data is breached from a Cairo-based company’s servers face a different reality: enforcement requires international legal cooperation, the company’s jurisdiction is Egyptian, and practical recourse for individual patients is close to nil.

The second risk is re-identification. The healthcare and technology research community has extensively documented that supposedly de-identified medical imaging data is far more re-identifiable than commonly assumed. DICOM files carry embedded metadata that can survive imperfect anonymisation. Medical images themselves particularly CT scans and MRIs contain unique anatomical features, body markers, implant signatures, and structural characteristics that sophisticated AI systems can use to re-link supposedly anonymous scans to specific individuals. Research published in leading radiology journals has confirmed that pixel-level patterns in medical images can be exploited through inference attacks conducted by third parties, revealing patient anatomy, demographics, and vendor-specific features.

The combination of de-identified imaging data with other available information including from prior data breaches, commercial data brokers, or social media can permit re-identification of individuals who believed their privacy was protected.

Once a patient is re-identified from their medical imaging data, the exposure is total. Diagnoses of cancer, HIV, tuberculosis, reproductive conditions, mental health indicators, chronic disease, addiction, and physical trauma are all potentially inferable from imaging data. This information is extraordinarily valuable to insurance companies seeking to deny coverage, to employers engaged in unlawful discrimination, to blackmailers, and to identity thieves. Healthcare data commands among the highest per-record prices on illicit markets precisely because it is uniquely sensitive and practically immutable.

The third risk is secondary commercial use. Rology’s AI tools were trained on radiology data. The company has launched eight AI products now marketed globally. There is no public disclosure of what proportion of the training data for these tools originated from Kenyan patients, under what governance framework that data was used, whether any retention or use limitations were imposed, or whether deletion of Kenyan patient data from AI training datasets an extraordinarily difficult technical undertaking is even possible at this stage. If Kenyan patients’ scans were used to train commercially deployed AI tools, those patients became unconsenting contributors to a commercial product generating revenue across thirteen countries, with no benefit flowing back to them.

The fourth risk is governmental access. Egypt’s legal framework for government access to data held by domestic entities differs materially from Kenya’s. Egyptian authorities may, under applicable Egyptian law, access data held by Egyptian companies on Egyptian or Egyptian-controlled servers. There is no guarantee that Kenyan patients’ health data would be protected from such access. Kenyan law has no jurisdictional reach over such requests or disclosures.

“Healthcare data commands the highest per-record prices on illicit markets because it is uniquely sensitive and practically immutable. These patients have no practical recourse.”

A GLOBAL PATTERN KENYA IGNORED

Kenya is not the first country to confront a foreign AI company using patient imaging data without adequate consent or governance. The pattern is global, and the warning signs were visible long before Rology’s Kenyan operations became the subject of litigation.

In Australia, the country’s largest diagnostic imaging provider, I-MED Radiology Network, shared patient chest X-rays, CT scans, and associated reports with health technology firm Harrison.ai to train an AI diagnostic tool later marketed as Annalise.ai. I-MED shared a dataset that reports described as containing fewer than thirty million images. Patients were not informed, and no consent was sought. The Office of the Australian Information Commissioner opened preliminary inquiries in 2024. I-MED claimed the data had been de-identified; Harrison.ai distanced itself from responsibility, asserting that compliance was I-MED’s obligation. The OAIC ultimately concluded its inquiries without adverse finding, determining that the de-identification was sufficient. The episode nonetheless exposed a fundamental tension at the heart of AI healthcare development: patients generate the data; companies capture the value; patients are the last to know.

In the United States, a teleradiology company called The Radiology Group was required to pay USD 3.1 million to the federal government after a Department of Justice investigation found it had fraudulently billed Medicare and Medicaid for radiology services purportedly performed by US-based radiologists when the actual interpretations had been produced by contractors in India who were not permitted to practice medicine in the United States. American radiologists had simply rubber-stamped reports prepared offshore. The settlement directly echoes the accountability gap at the heart of the Rology Kenya case: patients and payers were told one thing; a different and less accountable arrangement operated in practice.

In Kenya itself, the anxiety over foreign custody of health data had already surfaced at the highest political levels. In December 2025 just months before the Rology ruling the High Court suspended key components of a USD 1.6 billion to 2.5 billion health cooperation framework signed between Kenya and the United States, after civil society petitioners argued it posed risks to Kenyans’ medical data and national sovereignty. Justice Bahati Mwamuye issued conservatory orders preventing the operationalisation of any provisions that “provide for or facilitate the transfer, sharing or dissemination of medical, epidemiological or sensitive personal health data.” The court was saying, with considerable clarity, that Kenya’s health data sovereignty was non-negotiable even in transactions with allied sovereign governments. That same principle applied, with equal force, to a Cairo-based AI startup. The regulatory system simply failed to apply it.

THREE INSTITUTIONS THAT LOOKED AWAY

The Rology scandal is, at its core, a story of institutional failure. The company did not operate covertly. It signed contracts with public health facilities. It pitched its services to counties and hospitals. It published marketing materials naming Kenyan partnerships. It submitted evidence to a court about its scale and growth. It was not invisible. It was simply not being watched by the people whose job it was to watch.

The Kenya Medical Practitioners and Dentists Council issued its data handler certification directive in December 2024 and made the March 31, 2025 deadline explicit. The penalties for non-compliance were clear: fines of up to KSh 5 million or 1 percent of annual turnover. There is no public record of any KMPDC enforcement action against Rology before the court ruling. The institution whose directive Rology was violating did not act. The costs order against the KMPDC in Justice Nyaudi’s judgment reflects the court’s assessment that the council bore responsibility for the environment in which this occurred.

The Office of the Data Protection Commissioner had, by March 2026, handled over 9,000 complaints and issued enforcement notices and compensation orders in other sectors. It fined Nairobi Hospital for the unlawful use of a patient’s image in advertising materials. It pursued a credit company for sending unsolicited marketing messages. These are genuine enforcement actions on genuine violations. But the ODPC issued no enforcement notice against an operator that was processing the sensitive medical imaging data of over 60,000 Kenyans without registration as a data controller, without an ODPC certificate, and while conducting systematic cross-border data transfers in violation of Section 48 of the Data Protection Act. A company fined for using one patient photograph in an advertisement; a company transferring tens of thousands of patients’ CT scans to Egypt: one attracted enforcement action; the other did not.

The Digital Health Agency, established precisely to ensure data security and govern health data portability and exchange systems, produced no publicly available audit, statement, or regulatory intervention regarding Rology’s operations prior to the court ruling. Its mandate existed. It did not exercise it.

Into this regulatory vacuum, a private professional association the Kenya Association of Radiologists jfiled a petition at its own expense and pursued it to judgment. The KAR and its officials, led by Dr Gladys Mwango, Dr Brian Bwombuna, Dr Felister Wangari, and Dr Leonard Gikera, and represented by Conrad Law Advocates LLP, did what three government institutions with statutory mandates failed to do. The irony of that inversion a professional guild doing the work of state regulators should not pass without remark.

THE INVESTORS WHO FUNDED NON-COMPLIANCE

The December 2025 funding round that Rology closed was not the backing of a fringe operator. The Philips Foundation is the philanthropic arm of one of the world’s largest medical technology companies, with a stated mission of improving access to quality healthcare. Johnson & Johnson Impact Ventures is the impact investing vehicle of the largest healthcare conglomerate on earth. The Sanofi Global Health Unit’s Impact Fund is backed by one of the world’s largest pharmaceutical companies. MIT Solve Innovation Future is associated with one of the world’s most respected research universities. These are not investors without the resources, expertise, or institutional capability to conduct due diligence on regulatory compliance in a specific market they cited as a growth engine.

Rology’s December 2025 press materials explicitly cited Kenya as a growth market. The round was raised to “support its expansion in the Middle East and Africa” and “widen access to faster diagnostics in low- and middle-income countries.” Kenya was the proof point, the operational example, the demonstration of impact. The investors who validated Rology’s growth narrative in December 2025 were, at that moment, less than three months from a court ruling that would find the operations they had funded to be in comprehensive violation of Kenyan law.

What due diligence was performed on Rology’s data protection registration status in Kenya? What due diligence was performed on whether interpreting radiologists held valid Kenyan licences? What due diligence was performed on the governance framework for cross-border patient data transfers? These are not arcane questions. They are the foundational compliance questions that any responsible investor in a healthcare platform operating in a regulated jurisdiction should be asking before committing capital. They remain, for now, unanswered. These investors owe the public a full account.

THE RECKONING THAT IS NOW REQUIRED

The court has ruled. Rology’s Kenyan operations are suspended. But the ruling closes a chapter that should not have opened; it does not resolve the consequences that are already in motion.

The Office of the Data Protection Commissioner must open a formal, urgent investigation into every aspect of Rology’s data operations in Kenya: what data was collected, how it was processed, where it was stored, to whom it was transferred, on what legal basis, what it was used for beyond the immediate diagnostic purpose, whether it was incorporated into AI training datasets, and whether any deletion or security protocols were implemented when operations were suspended. This investigation must have forensic rigour, not the procedural caution that characterised the ODPC’s pre-ruling inaction.

The Digital Health Agency must audit every public health facility that connected to Rology’s platform and produce a public account of the data that left those facilities, the legal basis on which it was transferred, and the current status of that data in Rology’s infrastructure. The results must be published. Affected counties and facilities must be named.

Digital Health Agency CEO Eng.Antony Lenaiyara

The KMPDC must account publicly for why its March 2025 compliance directive produced no enforcement action against Rology. The institution that issued the rules must explain why it did not enforce them.

Rology’s investors; Philips Foundation, Johnson & Johnson Impact Ventures, Sanofi, and MIT Solve — must each issue public statements describing the due diligence they conducted on regulatory compliance, data protection, and patient consent frameworks in Kenya before committing capital. The silence of global health investors when their portfolio companies are found to have processed tens of thousands of patients’ health records unlawfully is not a neutral position.

Most urgently, the sixty thousand-plus Kenyan patients whose data is in Egyptian custody must be informed. They must be told what data was taken, where it sits, what it was used for, what risks they face, and what steps are being taken to protect them. This notification should not wait for litigation or regulatory proceedings to conclude. It should happen now.

Kenya must also urgently accelerate the legislative and regulatory architecture that the Rology case exposed as insufficient. The Artificial Intelligence Bill 2026 must include binding provisions for high-risk healthcare AI applications, including mandatory registration, impact assessments, human oversight requirements, and explicit consent frameworks for secondary use of medical data. Cross-border health data transfers must be treated with the seriousness of critical national security infrastructure, not as an afterthought in investor pitch decks.

“These 60,000 patients did not sign up to become data points in a foreign AI pipeline. They went to a clinic for a scan. The system that was supposed to protect them failed at every level.”

WHAT ROLOGY DOES NOT WANT YOU TO KNOW

Rology has deployed, in its public communications, a set of claims that warrant direct scrutiny in the light of the court’s findings.

The company claims FDA clearance validates its platform’s safety and legality. This is materially misleading. The FDA 510(k) clearance K231385, granted in October 2023, covers the platform as a Class II medical image management and processing system. It addresses the technical functionality of the platform image acquisition, encryption, transmission, and display. It does not confer any authorisation to operate medical services in Kenya. It does not address compliance with Kenya’s Data Protection Act. It does not constitute a licence to process Kenyan patients’ personal health data without their consent. The FDA clearance and Rology’s Kenyan legal obligations are entirely separate matters, and the company’s suggestion that one validates the other is false.

The company claims its platform disclaims responsibility for diagnostic accuracy. This liability escape is among the most troubling features of its model. Rology marketed accuracy rates as high as 99.89 percent while simultaneously, reportedly, disclaiming responsibility for the accuracy of medical reports generated through the platform. A patient who suffered harm from a misdiagnosis or delayed diagnosis on the Rology platform would have faced a fractured accountability chain: a foreign parent company, global radiologists whose jurisdictional status is unclear, local validators, and AI outputs sheltered by pre-emptive liability shields. This is not a legitimate model for the practice of medicine.

The company claims it addressed radiologist shortages and expanded healthcare access. This argument has genuine merit as a description of need; it has no merit as a justification for operating outside the law. The shortage of radiologists in Kenya is real. The consequences of that shortage delayed diagnoses, missed cancers, undertreated conditions are genuinely severe. But those consequences cannot justify a company processing Kenyan patients’ most intimate health information without consent, without registration, without oversight, and in violation of the data sovereignty framework Kenya’s legislature and courts have established. Access without accountability is exploitation by another name.

The company claims it served public health facilities and therefore served public interest. What this framing conceals is the commercial reality: Rology was not operating a charity. It was a venture-backed startup that grew 223 percent in gross revenues in a single year in Kenya alone. The public facilities it served became, on this model, channels for extracting commercial value from Kenya’s most vulnerable patients. The rural patient in Kisii who went for an X-ray did not receive a subsidised service. They provided, without knowing it, commercial raw material for a Cairo startup’s AI development pipeline.

THE CLOCK STILL RUNNING

The data has already left. More than 60,000 Kenyans disproportionately from public health facilities, disproportionately from lower-income communities with the least capacity to assert rights or seek redres had their most sensitive medical information extracted, transferred across borders, and processed outside any framework they consented to or that Kenya’s law authorised. Some of them may have cancers detected in those scans. Some may have TB or HIV diagnoses inferable from their imaging. Some may have reproductive health conditions. Some may be identifiable from their anatomical features alone. None of them know their data is in Cairo. None of them can easily get it back.

Rology will likely appeal the suspension. The company has infrastructure, investors, and a global network. It is not going quietly. Its legal team will argue that its local affiliate is a duly incorporated Kenyan company, that its platform provides genuine healthcare benefits, that its AI tools meet international standards, and that the regulatory framework it was operating in was unclear. Some of these arguments have surface plausibility. None of them addresses the foundational fact that the company processed the health data of 60,000 Kenyans without legal authorisation and without the consent of the patients whose bodies it digitised.

The pattern of what happened in Kenya is not unique to Rology and not unique to Africa. Global AI companies, backed by global investors, are systematically mining health data from low-and-middle-income country populationspopulations with less regulatory capacity to resist, less legal infrastructure to pursue redress, and less political power to compel accountability. The data flows from the Global South to corporate servers in Cairo, Riyadh, Tel Aviv, and San Francisco. The AI tools trained on that data are sold back to the same markets at prices those populations struggle to afford. The patients who generated the value receive nothing. The investors who funded the extraction are celebrated at Davos.

Kenya has a functioning data protection law, a Constitutional Bill of Rights, and courts willing to enforce them. Those instruments worked here, eventually, thanks to the persistence of a professional association that was willing to spend its own resources fighting what the state would not. The question now is whether the state will finish what the courts started: whether the ODPC, the Digital Health Agency, the KMPDC, and the Ministry of Health will treat this ruling as a mandate for genuine reckoning, or whether they will allow it to pass as an administrative footnote while the clock on 60,000 Kenyans’ privacy runs out in silence.

The bodies have been digitised. The scans are in Cairo. And the accountability, at long last, must follow them there.