Hackers say they have stolen millions of medical and personal records from M-Tiba, a Safaricom-backed digital health wallet, in what could be one of Kenya’s largest-ever data breaches.
A group calling itself Kazu claims to have gained access to more than 17 million files, or approximately 2.15 terabytes of data, from M-Tiba’s servers. The group shared a 2GB sample of the stolen data on its Telegram channel (Kazu Breach), containing what appear to be patients’ names, national ID numbers, dates of birth, phone contacts, and, in some cases, their medical diagnoses and billing information.
The leaked files include information on about 114,000 users, both account holders and their beneficiaries, according to files examined by . Kazu claims as many as 4.8 million people could be affected, a figure that has not been independently verified.
M-Tiba, operated by CarePay, a Nairobi-based health technology company, neither confirmed nor denied the breach. The company asked to share copies of the leaked files to assist with its review.
“At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we would like to actively investigate the claims you are referring to,” said a CarePay representative, in an email response. “To aid our internal investigation, could you please share the specific source links or posts that have prompted your inquiry?”
An official from the Office of the Data Protection Commissioner (ODPC) said the agency was aware of the incident but declined to elaborate, citing they were not authorised to comment on an active matter.
The sample of stolen data also contains records from about 700 health facilities, with some scans showing full billing sheets and patient diagnostic summaries, including the names of doctors and insurance companies. In one set of documents, patient IDs, contact details, and treatment costs were listed alongside handwritten notes from medical staff.
If confirmed, the M-Tiba breach would mark one of the most serious exposures of medical data since Kenya’s Data Protection Act came into force in 2019. The law classifies health records as sensitive personal information, requiring strict safeguards.
Image source: Kazu
Rising threats
Kenya has witnessed a series of breaches involving private companies and public platforms in recent years, including the 2023 hack on the e-Citizen platform. From education and tax systems to hospitals and fintech apps, the country’s digital shift has often outpaced its cybersecurity capacity.
Cyberattacks have been rising steadily in Kenya as more public and private services move online. The Communications Authority (CA) recorded over 4.6 billion between April and June 2025, an 80% rise compared to the previous quarter. Most incidents involved phishing, ransomware, and data breaches targeting banks, telecommunications companies, and government systems.
M-Tiba has been one of Kenya’s digital success stories. Launched in 2016 through a partnership between CarePay, Safaricom, and the PharmAccess Foundation, the platform allows users to save and spend money specifically for healthcare. It’s also used to distribute insurance benefits and government health subsidies.
In 2024, M-Tiba claims it has over 4 million users and partnerships with over 3,000 hospitals. Its model — part mobile wallet, part health insurance clearinghouse — has been praised as a practical path toward universal health coverage.
That scale also makes it an attractive target. If the breach is as large as claimed, it could expose individual patients and the internal data of clinics, insurers, and medical professionals.
