A cyberattack on M-Tiba, a Kenyan healthtech platform, went undetected for 10 days, exposing the personal and medical information of nearly five million Kenyans, according to an internal status report seen by .
The report—shared by M-Tiba’s operator CarePay Limited to insurance companies including Jubilee, Fidelity, GA Insurance, and AAR Insurance—reveals that the breach occurred between October 17 and 25, but was only discovered on October 27 at 1:23 p.m.
The report paints a picture of delayed detection, limited communication, and potential violations of Kenya’s data protection laws.
10-day blindspot
CarePay said the intrusion began when a third-party healthcare provider’s device was infiltrated, compromising their user credentials. Using the stolen details, the attackers forced access to M-Tiba’s Version 2 platform and extracted a large dataset covering insurance claims, patient information, and clinical records.
“Approximately 4.8 million records were illegally obtained in relation to beneficiaries and claims across various healthcare payers,” CarePay said in the report. “A sample of the dataset has been made available for downloading via the dark web.”
While CarePay has not yet contacted affected individuals, the company says it has notified data controllers, including insurance firms, who are expected to reach out to data subjects directly.
“As the processor, we have informed the controllers who will subsequently inform data subjects,” the report said.
CarePay did not respond to a request for comment.
The affected data includes financial information such as insurance claims, benefit limits, and utilisation; personally identifiable information, including full names, ID numbers, photos, and contact details; as well as sensitive health information such as diagnoses, lab results, prescriptions, and discharge summaries.
Those affected include insurance companies, healthcare providers, and policyholders — including children.
A review of the accessed data found that all major insurance firms were affected, along with thousands of health facilities—public, private, and those run by religious institutions such as the Catholic Church—spread across the country, including rural areas. This points to a massive breach that may have been significantly underreported.
Silence and confusion
Four people at Jubilee and AAR Insurance who asked not to be named told that they learned of the incident from media reports, not from CarePay or the ODPC.
The regulator itself appeared to confirm this communication lapse. In a public notice on October 29, the ODPC said it became aware of the M-Tiba incident through media reports.
“The ODPC is aware of media reports that mobile-health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users,” the regulator said.
ODPC did not respond to ’s request for comment.
Under Kenya’s Data Protection Act (2019), data controllers and processors are required to report breaches within 72 hours of becoming aware of them and to promptly notify affected individuals if the breach is likely to result in a high risk to their rights.
CarePay’s timeline shows that the breach was active for 10 days before being detected, and that neither M-Tiba nor its partner insurers have yet notified affected users.
“As the processor, we have informed the controllers who will subsequently inform data subjects,” the company said, referring to insurers and health payers responsible for patient data.
Regulatory reckoning
The regulator has opened investigations into the incident. An official confirmed to that the office received the report but was reviewing whether the company complied with local data laws.
If found to have violated reporting and notification requirements, CarePay could face fines and enforcement orders under the Data Protection Act.
M-Tiba, launched in 2016 through a partnership between CarePay, Safaricom, and the PharmAccess Foundation, allows users to save and spend money specifically for healthcare. It handles millions of insurance and out-of-pocket medical transactions annually and claims to have partnerships with over 3,000 hospitals.
