Massive Data Breach at Kenyan Health Platform M-TIBA; Sensitive Medical and Personal Data of 4.8 Million Users Reportedly for Sale

Photo of By Reginah Wamboi By Reginah Wamboi Send an email October 28, 2025
0 2 minutes read
M-TIBA

A threat actor, identified on cybercrime forums as “Kazu,” is reportedly advertising a massive 2.15-terabyte database allegedly stolen from M-TIBA, a Kenyan mobile platform that facilitates healthcare payments and insurance for millions.

The data, which is being advertised on the hacker forum darkforums[.]st, is said to contain the sensitive records of 4.8 million Kenyan users.

The breach was first detailed on Monday by the X (formerly Twitter) user @_mailler, who posted screenshots from the forum. According to these reports, the hackers are offering a 2GB sample file as proof of the breach. This sample alone allegedly contains the data of over 114,000 M-TIBA users, including both account holders and their beneficiaries.

If verified, the scale of the leak is staggering. The compromised data reportedly includes a vast trove of personally identifiable information (PII) and protected health information (PHI). This data is said to include full names, national ID numbers, phone numbers, and dates of birth. More alarmingly, it also allegedly contains highly sensitive patient diagnoses, detailed billing and diagnosis breakdowns, and data from nearly 700 associated health facilities.

Related Articles

The leak appears to expose the intimate details of patient-provider interactions, linking specific individuals to treatment diagnoses and medical centers.

M-TIBA, developed by CarePay in partnership with Safaricom, is a cornerstone of Kenya’s health-tech ecosystem. It acts as a health wallet on mobile phones, allowing users to save, send, and receive funds for medical services, and manage their insurance schemes.

The breach raises urgent questions about data security at the company, which just two months ago, in August 2025, announced it had received an ISO/IEC 27001:2022 certification for its Information Security Management System.

As of Tuesday morning, neither M-TIBA, its parent company CarePay, nor Kenya’s Office of the Data Protection Commissioner (ODPC) has issued an official public statement confirming the breach or outlining mitigation steps. Under Kenya’s Data Protection Act, a company is required to notify the ODPC of a personal data breach within 72 hours of becoming aware of it.

The availability of such sensitive medical and financial data on the dark web exposes the 4.8 million affected individuals to severe risks of targeted fraud, identity theft, and personal extortion.

Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent.

Follow us on WhatsAppTelegramTwitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke

Facebook Comments

Tags
Photo of By Reginah Wamboi By Reginah Wamboi Send an email October 28, 2025
0 2 minutes read
Photo of By Reginah Wamboi

By Reginah Wamboi

Reginah is a seasoned Kenyan journalist with a keen interest in tech, business and African startups. Send tips to editorial@techtrendsmedia.co.ke

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button