Kenya, 28 October 2025 - Kenya’s digital health sector is facing a major cybersecurity crisis after hackers claimed to have stolen a massive trove of personal and medical data from M-TIBA, a Safaricom-backed mobile health platform. The alleged breach, said to involve over 2.15 terabytes of information, could expose the records of up to 4.8 million users, making it one of the largest data leaks in Kenya’s history.
A threat actor known as “Kazu” announced the breach on dark web forums, advertising the stolen database and sharing a 2GB sample file as proof. The sample reportedly contains the details of more than 114,000 users, including both account holders and their beneficiaries. The leaked information allegedly includes full names, national ID numbers, phone contacts, dates of birth, medical diagnoses, and billing records, along with data from about 700 health facilities.
Cybersecurity analysts warn that the breach could expose highly sensitive patient information, linking individuals to specific diagnoses and hospitals. If verified, it represents a serious violation of privacy and data protection laws, leaving victims vulnerable to identity theft, insurance fraud, and blackmail.
M-TIBA, developed by CarePay in partnership with Safaricom and the PharmAccess Foundation, has been hailed as a cornerstone of Kenya’s health-tech ecosystem since its launch in 2016. The platform allows users to save, send, and spend money specifically for healthcare, and helps manage insurance benefits and government health subsidies. By 2024, M-TIBA had more than 4 million users and partnerships with over 3,000 hospitals.
In a statement, CarePay neither confirmed nor denied the incident but said it was “actively investigating” the claims. “At M-TIBA, we take all matters of data security with the utmost seriousness,” a company representative said, requesting access to the leaked files to assist with internal investigations.
The Office of the Data Protection Commissioner (ODPC) confirmed awareness of the alleged breach but declined to comment further, citing an ongoing investigation. Under Kenya’s Data Protection Act (2019), companies are required to report breaches within 72 hours of discovery, though no official notice has yet been made public.
Ironically, the incident comes just two months after M-TIBA announced it had achieved ISO/IEC 27001:2022 certification, an international standard for information security management.
The breach highlights a worrying trend as Kenya’s digital expansion continues to outpace its cybersecurity readiness. Between April and June 2025, the Communications Authority recorded over 4.6 billion cyberattacks, an 80% jump from the previous quarter. With platforms like M-TIBA handling sensitive data daily, experts warn that without stronger defenses, more breaches could be looming.
