A cyberattack on M-Tiba, a Kenyan healthtech platform, went undetected for ten days, exposing the personal and medical information of nearly five million users, according to an internal report seen by TechCabal.
The breach occurred between October 17 and 25, but was only discovered on October 27 at 1:23 p.m. CarePay Limited, the operator of M-Tiba, shared the report with insurance companies including Jubilee, Fidelity, GA Insurance, and AAR Insurance. The document reveals delayed detection, limited communication, and potential violations of Kenya’s Data Protection Act of 2019.
CarePay said the intrusion began when a third-party healthcare provider’s device was compromised, allowing attackers to access user credentials. The stolen credentials were used to enter M-Tiba’s Version 2 platform and extract a large dataset covering insurance claims, patient information, and clinical records.
Approximately 4.8 million records were illegally obtained, including financial details such as insurance claims and benefit limits, personally identifiable information such as names, ID numbers, photos, and contact details, as well as sensitive health information including diagnoses, lab results, prescriptions, and discharge summaries.
The breach affects insurance companies, healthcare providers, and policyholders, including children. A TechCabal review found that all major insurance firms were affected, along with thousands of health facilities, both public and private, including those run by religious organisations such as the Catholic Church.
Despite the scale of the breach, affected users have yet to be contacted. CarePay said it informed the data controllers, who are expected to notify the individuals directly. Some insurance staff revealed that they learned about the incident from media reports rather than from CarePay or the Office of the Data Protection Commissioner.
Under Kenyan law, breaches must be reported within 72 hours and affected individuals notified if there is a high risk to their rights. The ODPC has opened an investigation into whether CarePay complied with these requirements. If found in breach, the company could face fines and enforcement orders.
The M-Tiba incident highlights the vulnerabilities of digital health platforms and raises concerns about the protection of sensitive health information in Kenya.
