Kenya’s healthcare sector is facing a data security scare after hackers claimed to have stolen millions of medical and personal records from M-Tiba, a digital health wallet backed by Safaricom.
The breach, reportedly involving more than 17 million files, could be the largest cyberattack on a health platform in the country’s history.
The group behind the attack, calling itself Kazu, says it accessed approximately 2.15 terabytes of data from M-Tiba’s servers and has already leaked a 2GB sample on Telegram through its “Kazu Breach” channel.
The shared files appear to contain sensitive details such as patients’ full names, national ID numbers, phone contacts, birth dates, and medical information, including diagnoses and billing records.
An early review of the leaked documents shows that data from about 114,000 users, both account holders and their dependents, has already been compromised. Kazu, however, claims the breach could affect as many as 4.8 million people, though this figure is still unverified.
When contacted, M-Tiba operator CarePay neither confirmed nor denied the claims but said it had begun an internal investigation.
“At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we would like to actively investigate the claims you are referring to,” said a CarePay representative in an email response to TechCabal.
“To aid our internal investigation, could you please share the specific source links or posts that have prompted your inquiry?”
The leaked material also appears to include billing data from nearly 700 health facilities, with some documents displaying handwritten medical notes, doctor names, insurance details, and full payment summaries. If authenticated, the breach could expose not only individual patients but also hospitals, doctors, and insurers linked to the platform.
Officials at the Office of the Data Protection Commissioner (ODPC) confirmed awareness of the incident but declined to discuss it further, noting ongoing investigations.
Kenya’s Data Protection Act of 2019 treats medical information as “sensitive personal data,” demanding strict storage and disclosure safeguards.
A confirmed breach of this scale could result in legal penalties, class actions, and intense scrutiny from both regulators and international partners.
Kenya’s growing dependence on digital infrastructure has made it vulnerable to cyber threats. The Communications Authority of Kenya (CA) recorded more than 4.6 billion cyber threat events between April and June 2025, an 80% rise from the previous quarter.
Most of these incidents targeted banks, telecoms, and government systems, primarily through phishing, ransomware, and data theft.
Launched in 2016, M-Tiba was developed through a partnership between CarePay, Safaricom, and the PharmAccess Foundation. The platform allows users to save, spend, and receive funds specifically for healthcare, and it also manages insurance payouts and government health subsidies.
With over 4 million users and ties to 3,000 hospitals, M-Tiba has been regarded as a model for expanding affordable healthcare access in Kenya.
However, the same scale that made M-Tiba a national success story has also made it a lucrative target.
