A hacker group identifying themselves as Kazu claims to have infiltrated M-Tiba, a digital health wallet backed by Safaricom, extracting millions of confidential medical and personal records. This incident could represent one of the largest data compromises ever recorded in Kenya.
Kazu asserts that they have obtained access to more than 17 million files, amounting to approximately 2.15 terabytes of data from M-Tiba’s systems. To validate their claims, the group shared a 2GB sample on their Telegram channel, which reportedly contains patients’ full names, national ID numbers, dates of birth, phone contacts, and in some cases, detailed medical diagnoses and billing information.
TechCabal’s examination of the leaked data uncovered details related to around 114,000 users, including both primary account holders and their dependents. Kazu estimates that the breach could affect up to 4.8 million individuals, although this figure has yet to be independently verified.
CarePay, the Nairobi-based health technology company that operates M-Tiba, has neither confirmed nor denied the breach. The firm has requested access to the leaked data from TechCabal to conduct a comprehensive internal review.
“Protecting data is paramount at M-TIBA. We are dedicated to thoroughly investigating these allegations,” a CarePay representative communicated via email. “Please share the specific links or posts that triggered your inquiry to assist us in our investigation.”
An official from Kenya’s Office of the Data Protection Commissioner (ODPC) acknowledged awareness of the situation but refrained from commenting further due to ongoing investigative protocols.
The compromised dataset reportedly includes information from nearly 700 healthcare providers, encompassing detailed billing records and patient diagnostic summaries. Some documents reveal the names of attending doctors and insurance companies. One set of files even contains patient identification numbers, contact details, treatment costs, and handwritten notes from medical staff.
If these allegations prove accurate, this breach would rank among the most critical exposures of medical data since Kenya’s Data Protection Act of 2019 came into effect. The legislation classifies health information as highly sensitive, requiring rigorous safeguards.
Rising Cybersecurity Threats in Kenya
Kenya has witnessed a growing number of cyberattacks targeting both private sector companies and government platforms over recent years, including the high-profile 2023 breach of the e-Citizen portal. As sectors such as education, taxation, healthcare, and fintech increasingly embrace digital solutions, the nation’s cybersecurity defenses have struggled to keep up with the escalating threats.
The surge in cyber incidents parallels Kenya’s rapid digital transformation. According to the Communications Authority (CA), over 4.6 billion cyber threat attempts were recorded between April and June 2025, reflecting an 80% rise compared to the previous quarter. These attacks mainly involved phishing, ransomware, and data breaches targeting banks, telecom companies, and government agencies.
Since its inception in 2016, M-Tiba has been recognized as a trailblazing digital health platform in Kenya, developed through a partnership between CarePay, Safaricom, and the PharmAccess Foundation. The service allows users to set aside funds for healthcare expenses and streamlines the distribution of insurance claims and government health subsidies.
By 2024, M-Tiba had amassed over 4 million users and collaborated with more than 3,000 healthcare providers. Its innovative hybrid model, blending mobile wallet functionality with health insurance management, has been lauded as a forward-thinking step toward universal health coverage.
Nevertheless, the platform’s broad adoption also makes it an attractive target for cybercriminals. If the breach is as extensive as alleged, it could jeopardize the privacy of millions of patients and expose sensitive operational data from clinics, insurers, and medical professionals.