{"id":6532,"date":"2025-10-29T18:57:47","date_gmt":"2025-10-29T18:57:47","guid":{"rendered":"https:\/\/regtechafrica.com\/healthcare\/?p=6532"},"modified":"2025-10-29T18:57:47","modified_gmt":"2025-10-29T18:57:47","slug":"kenya-m-tiba-data-breach-sparks-major-cybersecurity-concerns-in-kenyas-health-sector","status":"publish","type":"post","link":"https:\/\/regtechafrica.com\/healthcare\/kenya-m-tiba-data-breach-sparks-major-cybersecurity-concerns-in-kenyas-health-sector\/","title":{"rendered":"Kenya: M-Tiba Data Breach Sparks Major Cybersecurity Concerns in Kenya\u2019s Health Sector"},"content":{"rendered":"

Kenya\u2019s digital health ecosystem has been rocked by a suspected massive data breach<\/strong> targeting M-Tiba<\/strong>, the country\u2019s leading mobile health wallet backed by Safaricom<\/strong>, CarePay<\/strong>, and the PharmAccess Foundation<\/strong>. Hackers have allegedly accessed and leaked millions of sensitive medical and personal records \u2014 in what could become the largest cyberattack in Kenya\u2019s healthcare history<\/strong>.<\/p>\n

A cybercriminal group identifying itself as \u201cKazu\u201d<\/strong> has claimed responsibility for the breach, asserting that it infiltrated M-Tiba\u2019s servers and extracted approximately 2.15 terabytes of data<\/strong>, including over 17 million files<\/strong>. The group has reportedly released a 2GB sample<\/strong> of the stolen data on Telegram through a channel named \u201cKazu Breach.\u201d<\/strong><\/p>\n

Preliminary examinations of the leaked files indicate exposure of patients\u2019 names, national ID numbers, phone numbers, birth dates, medical diagnoses, and billing records.<\/strong> Early estimates suggest that personal information belonging to at least 114,000 users<\/strong> \u2014 including dependents \u2014 has already been compromised. However, Kazu claims the total number of affected individuals could reach 4.8 million<\/strong>, a figure that remains unverified.<\/p>\n

When contacted, CarePay<\/strong>, which operates M-Tiba, did not confirm or deny the claims but acknowledged that an internal probe is underway.<\/p>\n

\n

\u201cAt M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we are actively investigating the claims you are referring to,\u201d a CarePay spokesperson said in an email response, requesting further details to assist the inquiry.<\/p>\n<\/blockquote>\n

If authenticated, the leaked data could also implicate nearly 700 healthcare facilities<\/strong>, exposing doctors\u2019 names, handwritten medical notes, insurance details, and complete payment records. Analysts warn that the breach could endanger not only patients but also hospitals and insurers connected to M-Tiba\u2019s extensive network.<\/p>\n

The Office of the Data Protection Commissioner (ODPC)<\/strong> confirmed awareness of the incident but refrained from commenting further, citing ongoing investigations. Under Kenya\u2019s Data Protection Act of 2019<\/strong>, medical information is classified as sensitive personal data<\/strong>, requiring strict confidentiality and protection. A confirmed breach on this scale could trigger regulatory sanctions, lawsuits, and international scrutiny<\/strong>.<\/p>\n

Cybersecurity experts say the attack underscores Kenya\u2019s growing exposure to digital risks as the country accelerates its shift toward online platforms. The Communications Authority of Kenya (CA)<\/strong> reported 4.6 billion cyber threat events<\/strong>between April and June 2025 \u2014 an 80% surge<\/strong> from the previous quarter. Financial institutions, telecommunications operators, and public sector systems remain the most frequently targeted.<\/p>\n

Launched in 2016<\/strong>, M-Tiba has become a cornerstone of Kenya\u2019s digital health infrastructure, enabling users to save, pay, and receive healthcare funds<\/strong> while managing insurance reimbursements and government health subsidies<\/strong>. With over 4 million users<\/strong> and partnerships spanning 3,000 hospitals<\/strong>, it has been widely regarded as a model for expanding healthcare access<\/strong> across the country.<\/p>\n

However, experts note that its scale and integration with Kenya\u2019s broader digital economy also make it an attractive target for cybercriminals. The incident, if verified, could prompt renewed discussions on data governance, cyber resilience, and digital health regulation<\/strong> in Africa\u2019s fastest-growing digital market.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kenya\u2019s digital health ecosystem has been rocked by a suspected massive data breach targeting M-Tiba, the country\u2019s leading mobile health wallet backed by Safaricom, CarePay, and the PharmAccess Foundation. Hackers…<\/p>\n","protected":false},"author":1,"featured_media":6533,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[95,80],"tags":[],"class_list":["post-6532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kenya-africa","category-news"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/regtechafrica.com\/healthcare\/wp-content\/uploads\/2025\/10\/Massive-Data-Breach-Hits-M-Tiba-Millions-of-Kenyan-Health-Records-Allegedly-Exposed.webp?fit=1200%2C674&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/posts\/6532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/comments?post=6532"}],"version-history":[{"count":1,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/posts\/6532\/revisions"}],"predecessor-version":[{"id":6534,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/posts\/6532\/revisions\/6534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/media\/6533"}],"wp:attachment":[{"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/media?parent=6532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/categories?post=6532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regtechafrica.com\/healthcare\/wp-json\/wp\/v2\/tags?post=6532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}