The breach, reportedly involving more than 17 million files, could be the largest cyberattack on a health platform in the country’s history.

The group behind the attack, calling itself Kazu, says it accessed approximately 2.15 terabytes of data from M-Tiba’s servers and has already leaked a 2GB sample on Telegram through its “Kazu Breach” channel. 

The shared files appear to contain sensitive details such as patients’ full names, national ID numbers, phone contacts, birth dates, and medical information, including diagnoses and billing records.

An early review of the leaked documents shows that data from about 114,000 users, both account holders and their dependents, has already been compromised. Kazu, however, claims the breach could affect as many as 4.8 million people, though this figure is still unverified.

When contacted, M-Tiba operator CarePay neither confirmed nor denied the claims but said it had begun an internal investigation.

“At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we would like to actively investigate the claims you are referring to,” said a CarePay representative in an email response to TechCabal. 

“To aid our internal investigation, could you please share the specific source links or posts that have prompted your inquiry?”

The leaked material also appears to include billing data from nearly 700 health facilities, with some documents displaying handwritten medical notes, doctor names, insurance details, and full payment summaries. If authenticated, the breach could expose not only individual patients but also hospitals, doctors, and insurers linked to the platform.

Officials at the Office of the Data Protection Commissioner (ODPC) confirmed awareness of the incident but declined to discuss it further, noting ongoing investigations. 

Kenya’s Data Protection Act of 2019 treats medical information as “sensitive personal data,” demanding strict storage and disclosure safeguards. 

A confirmed breach of this scale could result in legal penalties, class actions, and intense scrutiny from both regulators and international partners.

Kenya’s growing dependence on digital infrastructure has made it vulnerable to cyber threats. The Communications Authority of Kenya (CA) recorded more than 4.6 billion cyber threat events between April and June 2025, an 80% rise from the previous quarter. 

Most of these incidents targeted banks, telecoms, and government systems, primarily through phishing, ransomware, and data theft.

Launched in 2016, M-Tiba was developed through a partnership between CarePay, Safaricom, and the PharmAccess Foundation. The platform allows users to save, spend, and receive funds specifically for healthcare, and it also manages insurance payouts and government health subsidies. 

With over 4 million users and ties to 3,000 hospitals, M-Tiba has been regarded as a model for expanding affordable healthcare access in Kenya.

However, the same scale that made M-Tiba a national success story has also made it a lucrative target.

The post Massive Data Breach Hits M-Tiba: Millions of Kenyan Health Records Allegedly Exposed appeared first on Tech | Business | Economy.

This initiative, the first of its kind in the country, is aimed at professionals across sectors and shows a sharpened focus on regulation as the economy becomes more digitised.

The launch, which coincided with the 8th annual conference of the Network of African Data Protection Authorities (NADPA) in Abuja, was led by Dr Bosun Tijani, minister of Communications, Innovation and Digital Economy. He wasted no time in stressing the weight of the move.

“As we digitise government services, open up digital trade corridors, and scale digital identity platforms, data becomes the backbone and data protection, the shield,” he said during the event.

From where we stand, this academy is a response to a reality where data breaches, identity theft, and privacy violations are no longer rare headlines but daily threats. 

The Nigeria Virtual Privacy Academy brings practical, accessible training on cybersecurity and data governance for everyone—from government workers to young tech professionals. The idea is to build digital resilience through knowledge, not just laws.

Vice President Kashim Shettima, represented at the event by Senator Ibrahim Hadejia, noted that the Federal Government views data not merely as code or numbers, but as something deeply human. “Data is more than just a digital asset,” he said. “It is a human story told in numbers.”

Nigeria has gone beyond just trying to keep up with international best practices, it’s now attempting to create a regulatory system that matches the velocity of technological change.

To this end, the Vice President pointed to several milestones. He recalled how President Tinubu, only two weeks into office, signed the Nigeria Data Protection Act into law.

This was followed by Nigeria’s endorsement of the Malabo Convention on Cybersecurity and Personal Data Protection earlier this year. The General Application Implementation Directive for the Act also came into effect just two months ago.

“Our data protection ecosystem is now directly tied to the delivery of the eight presidential priorities of this administration,” Shettima noted.

Beyond national borders, Nigeria is pushing for a continent-wide alignment. The Chairperson of NADPA, represented by Vice President Immaculate Kassiat, called for shared standards across African countries, emphasising the urgency of regional cooperation in an era where data knows no boundaries.

On his part, Dr Vincent Olatunji, national nommissioner of the Nigeria Data Protection Commission (NDPC), offered insight into what has already been achieved.

The numbers were telling; over 5,000 compliance assessments, 223 investigations, 12 organisational remediations, and upwards of $1.2 million generated in regulatory fees in just two years.

“We’ve signed MOUs with data protection authorities across Africa and are creating a regulatory environment that encourages innovation while safeguarding citizens,” Olatunji said.

Still, he warned, not every African nation has caught up. Many countries on the continent remain without concrete data protection laws, a vacuum he believes could weaken Africa’s digital future.

“Strong data protection frameworks are not barriers to innovation, but enablers of a resilient and inclusive digital economy.”

The conference, themed “Balancing Innovation in Africa: Data Protection and Privacy in Emerging Technologies,” convened more than 30 African nations, with international observers from Europe, the Middle East, Asia, and the United States.

It was a mix of public declarations and backroom strategy—an attempt to shape how the continent handles one of its most valuable currencies: data.

Inga Stefanowicz, speaking on behalf of the European Union, reiterated the EU’s support for Africa’s evolving data governance ecosystem. And while partnerships are welcome, the message from Nigerian officials stressed that we can’t afford to wait for global consensus to protect what’s already ours.

With the academy now live and the NDPC expanding its reach, Nigeria is now increasing focus on a sector usually overlooked until something goes wrong. This reiterates that digital trust is not optional, but built into the code.

The post Nigeria Virtual Privacy Academy: FG to Train Youth on Cybersecurity, Data Governance appeared first on Tech | Business | Economy.