Shares

A massive data breach has reportedly compromised the sensitive personal and protected health information (PHI) of up to 4.8 million Kenyan users of the mobile health platform M-TIBA.

A threat actor, identified as “Kazu,” is advertising the stolen database, allegedly a staggering 2.15-terabyte file, on the cybercrime forum darkforums[.]st, raising urgent security alarms across Kenya’s health-tech sector. The breach was first reported  Twitter user @_mailler, who posted screenshots from the forum.

If verified, the data leak is one of the most significant breaches of sensitive health information in the region. The compromised data allegedly includes a vast trove of personally identifiable information (PII) and protected health information (PHI), exposing users to severe risks of targeted fraud and identity theft.

The compromised records reportedly contain:

  • Personally Identifiable Information (PII): Full names, national ID numbers, phone numbers, and dates of birth for both account holders and their beneficiaries.
  • Protected Health Information (PHI): Highly sensitive patient diagnoses, detailed billing and diagnosis breakdowns, and data related to nearly 700 associated health facilities.

The hacker is reportedly offering a 2GB sample file as proof, which alone is claimed to contain data from over 114,000 M-TIBA users.

M-TIBA, developed by CarePay in partnership with Safaricom, serves as a critical health wallet platform, allowing millions of Kenyans to save, send, and receive funds for medical services and manage their insurance schemes.

The breach brings immediate scrutiny to the platform’s security protocols, particularly since M-TIBA announced in August 2025 that it had received the ISO/IEC 27001:2022 certification for its Information Security Management System.

As I write this, neither M-TIBA, its parent company CarePay, nor the Office of the Data Protection Commissioner (ODPC) had issued an official public statement confirming the breach. Under the Kenya Data Protection Act, organizations are required to notify the ODPC of a personal data breach within 72 hours of becoming aware of it.