The reported data breach affecting the Safaricom-backed M-Tiba platform has sparked serious concern across Kenya’s technology and healthcare sectors.
A hacker group calling itself “Kazu” claims responsibility for stealing more than two terabytes of data, which may include sensitive medical and personal information belonging to millions of users.
The group says it gained access to M-Tiba’s servers and extracted over 17 million files containing personal details such as names, identification numbers, phone contacts, dates of birth, and medical records from more than 700 health facilities across the country.
To support its claims, Kazu reportedly released a sample of about 2GB of data on Telegram, revealing patient records, scanned documents, and billing information.
The sample appears to affect over one hundred thousand users, but the group insists that the total number could reach nearly five million. If verified, this would represent one of the most significant data breaches in Kenya’s history, surpassing past cases involving financial or government databases.
The information allegedly stolen includes personal identification details, diagnostic notes, treatment records, and financial data linked to health insurance claims.
M-Tiba, operated by Dutch-based CarePay in partnership with Safaricom and the PharmAccess Foundation, has acknowledged awareness of the situation but has not confirmed the extent of the breach.
The company said it is working with cybersecurity experts to verify the claims and determine how the breach may have occurred. The Office of the Data Protection Commissioner (ODPC) has also stepped in, confirming that it is closely monitoring developments and engaging with the affected parties.
According to Kenya’s Data Protection Act, any organization that experiences a data breach must report it within seventy-two hours, raising questions about M-Tiba’s delay in publicly informing users or disclosing the scale of exposure.
Cybersecurity professionals warn that the potential impact of such a breach could be long-lasting. Health data, unlike passwords or credit cards, cannot be changed, making it especially valuable to cybercriminals. Stolen information could be used for identity theft, fraudulent insurance claims, or medical scams.
Kevin Odhiambo, a cybersecurity expert, noted that once medical data is leaked, it becomes nearly impossible to control or remove it, leaving victims exposed to ongoing risks.This incident highlights the growing vulnerability of Kenya’s expanding digital health systems.
Over the years, platforms like M-Tiba have helped millions of Kenyans access healthcare and manage medical expenses through mobile technology, but the same convenience has introduced new security challenges.
Many systems still operate without strong cybersecurity frameworks, leaving user data open to exploitation.In response, users have been urged to change passwords linked to their M-Tiba accounts, remain alert to suspicious messages, and monitor their financial and medical records for irregular activity. They are also encouraged to contact M-Tiba for clarification about whether their personal data was compromised.
The breach has reignited debate about how well corporations protect personal information and whether Kenya’s data protection laws are being effectively enforced.As investigations continue, the case has drawn attention to the broader issue of digital privacy in Kenya’s healthcare sector. If confirmed, the M-Tiba breach could lead to stricter government oversight, tighter data security standards, and a renewed focus on corporate accountability.
For millions of users who trusted the platform with their most private details, the incident has shaken confidence in digital health services and served as a stark warning of the risks that come with an increasingly connected world.
Add Comment