Kenya’s digital health ecosystem has been rocked by a suspected massive data breach targeting M-Tiba, the country’s leading mobile health wallet backed by Safaricom, CarePay, and the PharmAccess Foundation. Hackers have allegedly accessed and leaked millions of sensitive medical and personal records — in what could become the largest cyberattack in Kenya’s healthcare history.
A cybercriminal group identifying itself as “Kazu” has claimed responsibility for the breach, asserting that it infiltrated M-Tiba’s servers and extracted approximately 2.15 terabytes of data, including over 17 million files. The group has reportedly released a 2GB sample of the stolen data on Telegram through a channel named “Kazu Breach.”
Preliminary examinations of the leaked files indicate exposure of patients’ names, national ID numbers, phone numbers, birth dates, medical diagnoses, and billing records. Early estimates suggest that personal information belonging to at least 114,000 users — including dependents — has already been compromised. However, Kazu claims the total number of affected individuals could reach 4.8 million, a figure that remains unverified.
When contacted, CarePay, which operates M-Tiba, did not confirm or deny the claims but acknowledged that an internal probe is underway.
“At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we are actively investigating the claims you are referring to,” a CarePay spokesperson said in an email response, requesting further details to assist the inquiry.
If authenticated, the leaked data could also implicate nearly 700 healthcare facilities, exposing doctors’ names, handwritten medical notes, insurance details, and complete payment records. Analysts warn that the breach could endanger not only patients but also hospitals and insurers connected to M-Tiba’s extensive network.
The Office of the Data Protection Commissioner (ODPC) confirmed awareness of the incident but refrained from commenting further, citing ongoing investigations. Under Kenya’s Data Protection Act of 2019, medical information is classified as sensitive personal data, requiring strict confidentiality and protection. A confirmed breach on this scale could trigger regulatory sanctions, lawsuits, and international scrutiny.
Cybersecurity experts say the attack underscores Kenya’s growing exposure to digital risks as the country accelerates its shift toward online platforms. The Communications Authority of Kenya (CA) reported 4.6 billion cyber threat eventsbetween April and June 2025 — an 80% surge from the previous quarter. Financial institutions, telecommunications operators, and public sector systems remain the most frequently targeted.
Launched in 2016, M-Tiba has become a cornerstone of Kenya’s digital health infrastructure, enabling users to save, pay, and receive healthcare funds while managing insurance reimbursements and government health subsidies. With over 4 million users and partnerships spanning 3,000 hospitals, it has been widely regarded as a model for expanding healthcare access across the country.
However, experts note that its scale and integration with Kenya’s broader digital economy also make it an attractive target for cybercriminals. The incident, if verified, could prompt renewed discussions on data governance, cyber resilience, and digital health regulation in Africa’s fastest-growing digital market.
