M-Tiba Hacked, Millions of Kenyan Patient Records at Risk

In what could be one of Kenya’s largest-ever data breaches, hackers are claiming to have stolen millions of medical and personal records from M-Tiba, a popular digital health wallet backed by Safaricom. “Hackers say they have stolen millions of medical and personal records from M-Tiba, a Safaricom-backed digital health wallet,” reports Edwin Okoye, Senior Reporter at TechCabal. The breach puts the sensitive information of a huge number of Kenyans in jeopardy and raises serious questions about the security of the country’s fast-growing digital health systems.

How Much Patient Data Was Exposed?

The sheer scale of the alleged breach is staggering. “A group calling itself Kazu claims to have gained access to more than 17 million files, or approximately 2.15 terabytes of data, from M-Tiba’s servers,” states Juliet Maina, Technology Editor at Techeconomy.ng. This isn’t just anonymous data. The hackers appear to have gotten their hands on the crown jewels of personal information. According to Brian Otieno, an Investigative Journalist at TechTrendsKE, “The shared files appear to contain sensitive details such as patients’ full names, national ID numbers, phone contacts, birth dates, and medical information, including diagnoses and billing records.”

Who Has Been Impacted by the Breach?

While the full extent is still being verified, early signs point to a massive number of people being affected. “The leaked files include information on about 114,000 users… Kazu claims as many as 4.8 million people could be affected, a figure that has not been independently verified,” writes Edwin Okoye at TechCabal. With personal details like national ID numbers out in the open, the risk of identity theft is very real. For those worried about their digital footprint and personal security after such a breach, services like Aura offer comprehensive protection against identity theft and online threats, providing some peace of mind in uncertain times.

M-Tiba’s Response

M-Tiba’s parent company, CarePay, was quick to address the allegations, though it stopped short of confirming the breach. “At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we would like to actively investigate the claims you are referring to,” a CarePay representative told Juliet Maina. Meanwhile, government bodies are taking notice. “An official from the Office of the Data Protection Commissioner (ODPC) said the agency was aware of the incident but declined to elaborate, citing they were not authorised to comment,” Okoye reports. This cautious approach from officials suggests a deeper investigation is likely underway.

Hospitals and Insurers Also Exposed

The breach doesn’t just affect individual patients. It sends shockwaves through the entire healthcare system. “The sample of stolen data also contains records from about 700 health facilities, with some scans showing full billing sheets and patient diagnostic summaries, including the names of doctors and insurance companies,” describes Brian Otieno. This wider exposure complicates the situation, dragging hospitals, clinics, and insurance partners into the crisis.

Kenya’s Data Protection Law on the Test

This incident is shaping up to be a major test for Kenya’s relatively new data protection framework. “If confirmed, the M-Tiba breach would mark one of the most serious exposures of medical data since Kenya’s Data Protection Act came into force in 2019,” observes Edwin Okoye. The outcome of the investigation and any subsequent regulatory action will set a critical precedent for how companies handle user data and the real-world consequences of failing to protect it, an issue that touches on recent debates about suspended cyber laws in Kenya.

The Bigger Picture of Cyber Risks in Kenya

The M-Tiba hack isn’t happening in a vacuum. It’s part of a worrying trend of escalating cyber threats in Kenya. “The Communications Authority (CA) recorded over 4.6 billion [cyber threats] between April and June 2025, an 80% rise compared to the previous quarter. Most incidents involved phishing, ransomware, and data breaches,” writes Juliet Maina. This sharp increase highlights a critical vulnerability in the country’s digital infrastructure, making the fight against AI-driven cybercrime more urgent than ever.

Recommended Tech

As cyber threats become more common, securing your home network is a crucial first step in protecting your personal data. A weak or outdated router can be an easy entry point for attackers. The TechBull recommends upgrading to a modern mesh Wi-Fi system. A great option is the Google Nest WiFi Pro, which offers robust security features, automatic updates, and reliable coverage to help keep your digital life safe from unwanted intruders.

M-Tiba’s Place in Kenya’s Digital Health

Launched in 2016, M-Tiba has been a key player in digitizing healthcare access for millions of Kenyans. A partnership between CarePay, Safaricom, and the PharmAccess Foundation, it has grown significantly. TechCabal reports that the platform “now has over 4 million users and ties to 3,000 hospitals.” Its integration with services like M-Pesa made it a convenient tool for managing healthcare savings and payments, cementing its role in the daily lives of many.

What Comes Next for M-Tiba?

The road ahead for M-Tiba and CarePay will be a tough one. The company is now under a microscope, and how it handles this crisis will be critical. “A confirmed breach of this scale could result in legal penalties, class actions, and intense scrutiny from both regulators and international partners,” writes Juliet Maina. For the millions of users whose data may be exposed, the wait for clear answers and decisive action begins.