By Faith Mwende
Kenya’s data protection authority announced today that it is investigating a potential cybersecurity breach at the mobile health platform MTiba, a Safaricom-supported health wallet platform, which may have led to the exposure of users’ sensitive personal and health data.
The Office of the Data Protection Commissioner (ODPC) issued a press statement confirming it “is aware of media reports that the mobile health wallet platform MTiba may have experienced a cyber incident involving the potential exposure of personal and health data of users.”
Emphasizing the gravity of the situation, the Commissioner’s office outlined that its priority is to “protect the rights of all data subjects particularly given the sensitivity of health related information and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations.”
To ascertain the facts, the ODPC confirmed it “is actively engaging with the Data Processor, MTiba and other stakeholders to establish the full facts of the situation.”
No further details were provided regarding the scale of the potential breach or the specific data involved. The public and affected users are awaiting further updates as the official investigation unfolds.
This comes after a group of hackers claimed to have stolen millions of medical and personal records from M-Tiba in what could be one of Kenya’s biggest data breaches ever.
The hacker group calling itself Kazu says it has accessed over 17 million files (about 2.15 terabytes of data) from M-Tiba’s servers.
They have since shared a 2GB sample of the stolen files on their Telegram channel, which reportedly includes patients’ names, national ID numbers, phone contacts, dates of birth, and medical details such as diagnoses and billing records.
The leaked sample is said to contain information on around 114,000 users, but Kazu claims the total number of affected people could reach 4.8 million, though this has not been confirmed.
M-Tiba is operated by CarePay, a Nairobi-based health tech company.
The firm has not confirmed or denied the breach but says it is investigating the claims.
CarePay has also (reportedly) requested access to the leaked files to verify whether the data is genuine.
