M-Tiba Breach Exposed 4.8 Million Records, Report Reveals 10-Day Detection Delay
A cyberattack on the Kenyan healthtech platform M-Tiba exposed the personal and medical information of nearly five million Kenyans, according to an internal status report from the platform’s operator, CarePay Limited.
The report, which was shared with insurance firms including Jubilee, Fidelity, GA Insurance, and AAR Insurance, reveals that the breach went undetected for 10 days, TechCabal reports. The intrusion occurred between October 17 and 25, but the company only discovered it on October 27.
The incident has raised serious concerns about delayed detection, communication gaps, and potential violations of Kenya’s data protection laws.
According to the report, the attack began when a third-party healthcare provider’s device was infiltrated, compromising their user credentials. Attackers then used these stolen details to force access to M-Tiba’s Version 2 platform.
From there, they extracted a massive dataset. “Approximately 4.8 million records were illegally obtained in relation to beneficiaries and claims across various healthcare payers,” CarePay stated in the report. The company also noted that “a sample of the dataset has been made available for downloading via the dark web.”
The breach affects insurance companies, healthcare providers, and policyholders, including children. The stolen data is reported to be extensive and highly sensitive, including: Personally Identifiable Information (PII) (Full names, ID numbers, photos, and contact details), Sensitive Health Information (Diagnoses, lab results, prescriptions, and discharge summaries) and Financial Information (Insurance claims, benefit limits, and payment utilisation).
A review of the data indicates that all major insurance firms and thousands of health facilities across Kenya, including public, private, and faith-based institutions, were impacted.
The handling of the breach has drawn criticism. Staff at Jubilee and AAR Insurance who spoke to TechCabal reportedly learned of the incident from media reports, not from CarePay.
In a public notice on October 29, the Office of the Data Protection Commissioner (ODPC) stated it also became aware of the incident through media reports.
“The Office of the Data Protection Commissioner (ODPC) is aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users,” ODPC said in a statement.
This is in potential violation of Kenya’s Data Protection Act (2019), which requires data controllers to report breaches within 72 hours of awareness and to promptly notify affected individuals if there is a high risk to their rights.
CarePay’s report stated its position, saying “As the processor, we have informed the controllers [insurance firms] who will subsequently inform data subjects.” As of the report, affected individuals had not yet been notified.
The ODPC has opened an investigation to determine if the company complied with data protection laws, which could lead to fines and enforcement orders.
Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
