CATASTROPHIC SECURITY BREACH: 4.8 MILLION KENYANS’ PRIVATE MEDICAL RECORDS PLUNDERED IN MASSIVE M-TIBA CYBERATTACK

Dark web criminals expose intimate diagnoses, ID numbers, insurance details in what could be Kenya’s worst-ever health data disaster

Kenya is reeling from what security experts are calling a “catastrophic privacy violation” after hackers claimed to have stolen millions of medical and personal records from M-Tiba a digital health wallet used by millions of Kenyans .

A cybercrime syndicate calling itself Kazu claims to have seized more than 17 million files totaling approximately 2.15 terabytes of data from M-Tiba’s servers , creating a chilling treasure trove of the nation’s most intimate health secrets now circulating in the criminal underworld.

The scale of the breach is staggering.

The stolen database allegedly contains sensitive information on 4.8 million Kenyan users  , exposing not just names and national ID numbers but deeply personal medical diagnoses, billing information, and treatment histories that patients never imagined would end up for sale on dark web forums.

A SINISTER SAMPLE REVEALS THE HORROR

The hackers brazenly shared a 2GB sample of their stolen treasure on their Telegram channel, containing what appear to be patients’ names, national ID numbers, dates of birth, phone contacts, and in some cases their medical diagnoses and billing information.

This sample alone has already compromised the data of about 114,000 users, both account holders and their beneficiaries .

But the nightmare extends far beyond individual patients

The leaked files contain records from about 700 health facilities, with some scans showing full billing sheets and patient diagnostic summaries, including the names of doctors and insurance companies.

In one set of documents, patient IDs, contact details, and treatment costs were listed alongside handwritten notes from medical staff .

Imagine waking up to discover your HIV diagnosis, mental health treatment, or cancer records are now available to identity thieves, blackmailers, and scam artists prowling the internet’s darkest corners.

For millions of Kenyans, this nightmare is now reality.

DEAFENING SILENCE FROM THE GUARDIANS

Despite the severity of the breach, M-Tiba’s operator CarePay has neither confirmed nor denied the breach, instead asking journalists to share copies of the leaked files to assist with their review.

This tepid response has sparked fury among cybersecurity experts who note that precious hours are being wasted while criminals exploit the stolen data.

“At M-TIBA, we take all matters of data security with the utmost seriousness,” CarePay claimed in what critics are calling an empty platitude devoid of concrete action or accountability.

Adding to the scandal, the Office of the Data Protection Commissioner acknowledged awareness of the incident but declined to elaborate, citing they were not authorized to comment on an active matter.

This bureaucratic stonewalling has left millions of vulnerable Kenyans in the dark about what has happened to their most sensitive information.

The timing could not be more damning.

Just two months ago, in August 2025, M-Tiba proudly announced it had received ISO/IEC 27001:2022 certification for its Information Security Management System.

That international security badge now looks like cruel irony as the company grapples with one of Kenya’s most devastating data breaches.

KENYA’S DIGITAL DREAMS BECOME CYBERSECURITY NIGHTMARES

This catastrophe arrives as Kenya’s digital transformation accelerates at breakneck speed, often outpacing the security infrastructure needed to protect it.

The Communications Authority recorded over 4.6 billion cyberattacks between April and June 2025, an 80% rise compared to the previous quarter, with most incidents involving phishing, ransomware, and data breaches targeting banks, telecommunications companies, and government systems .

M-Tiba has been one of Kenya’s digital success stories since its 2016 launch through a partnership between CarePay, Safaricom, and the PharmAccess Foundation.

The platform allows users to save and spend money specifically for healthcare and is used to distribute insurance benefits and government health subsidies.

By 2024, the platform had attracted over 4 million users and partnerships with more than 3,000 hospitals across the country.

But that very success made it an irresistible target for cybercriminals.

The more Kenyans trusted M-Tiba with their health information, the more valuable that data became on the black market.

THE KAZU SHADOW SYNDICATE

The threat actor Kazu has recently emerged as a notably active group engaged in data leak activities, with credible sources tying the group to multiple security breaches involving unauthorized system access and attempts to sell stolen data on dark web marketplaces.

The hackers are advertising the stolen M-Tiba database on the cybercrime forum [darkforums.st](http://darkforums.st) , where criminals trade in human misery.

The group’s methods remain mysterious. They have not explained how they penetrated M-Tiba’s supposedly secure systems or when the intrusion occurred.

What is clear is that they now possess an unprecedented window into the medical lives of millions of Kenyans.

A LEGAL AND MORAL RECKONING AWAITS

If confirmed, the M-Tiba breach would mark one of the most serious exposures of medical data since Kenya’s Data Protection Act came into force in 2019. The law classifies health records as sensitive personal information, requiring strict safeguards .

Under Kenya’s Data Protection Act, a company is required to notify the ODPC of a personal data breach within 72 hours of becoming aware of it.

Whether M-Tiba has complied with this legal obligation remains unclear, adding potential regulatory violations to the company’s mounting crisis.

The consequences for victims are severe and permanent. Medical records represent some of the most sensitive personal information imaginable.

Combined with national ID numbers and contact details, this leaked data creates a perfect storm for identity theft, insurance fraud, medical blackmail, and targeted scams against some of Kenya’s most vulnerable citizens.

For pregnant women whose conditions are now exposed, for HIV patients whose status has been compromised, for mental health patients whose private struggles are now public, and for cancer patients whose diagnoses are being traded like commodities, this breach represents a violation that no apology can undo.

As Kenya races toward a digital future, the M-Tiba catastrophe stands as a brutal reminder that without robust cybersecurity, every convenience comes with existential risk.

The question now is not whether this will happen again, but how many more millions of Kenyans will have their privacy shattered before the country’s digital guardians take security seriously.

The data is already out there.

For 4.8 million Kenyans, it is too late to close the barn door. The damage is done, and the criminals are counting their profits.