Your Medical Records Were Wide Open: How Three Digital Lenders Hacked the Heart of Kenya’s Health System and the DHA Chief Who Looked Away

The messages arrived in a sequence that would alarm any person who understands what the Social Health Authority database contains. First came a screenshot of a complete SHA member profile, name, date of birth, national identification number, medical coverage status, OTP whitelisting controls, and a live button that the sender could press to refresh the member’s records directly from the AfyaYangu system. Then came the employer details of a relative. Then came the confirmation, in plain WhatsApp text, that the person sending all of this was a debt collector working for a licensed digital lending company.

“Raha pesa is still pending,” the collector wrote. “There are so many ways of killing a rat, buddy.” Attached to the threat was a screenshot pulled live from within the SHA system, complete with the borrower’s SHA registration number, date of birth, and a functional interface button reading: Refresh Member and Dependants From AfyaYangu. Another button read: Request OTP Whitelisting for Member.

This was not a leak. This was not a historical dump sold on a dark web forum. This was a live, active, real-time breach of a government health database, wielded as a debt collection weapon against a Kenyan citizen whose only offence was falling behind on a seven-day mobile loan worth a few thousand shillings.

Kenya Insights has seen the complaint letter, WhatsApp transcripts, SMS records, and photographic evidence establishing that agents and employees of at least three digital lending companies, namely Payablu Credit Limited trading as Tuma Cash, Loan Plus Digital Credit Provider Limited trading as DG Loan, and Gotway Limited trading as Tena Pesa, had functional, logged-in access to the SHA member database in April 2026.

The evidence shows that agents used this access to extract and weaponise the health, employment, and biographical information of borrowers and their family members during debt recovery operations.

The evidence also shows that a written complaint documenting all of this was sent by email to the office of Eng. Anthony Lenaiyara, the Acting Chief Executive Officer of the Digital Health Agency, as far back as April 15, 2026. He has not responded. He has not acted. He has not acknowledged. The SHA system remained open.

Inside the Breach: What the Loan Agents Could See

The SHA database, managed operationally by the Digital Health Agency through its Comprehensive Integrated Health Information System and the public-facing AfyaYangu platform, holds the registration records of every Kenyan who has enrolled in the Social Health Insurance Fund since it opened in October 2024. As of April 2026, that figure exceeded 30 million registered members.

The records stored in the system include full legal names, national identification numbers, dates of birth, SHA customer registration numbers, employer details, coverage periods, dependent relationships, medical history accessible through the health information exchange, and OTP management controls that govern a member’s access to health services.

The screenshots reviewed by Kenya Insights show debt collection agents operating what appears to be an internal or third-party interface connected directly to the SHA backend.

On one screen, a complete SHA member profile is displayed with active function buttons.

The interface is not a static screenshot downloaded from a public page. It is a live panel with interactive controls, including a green button to refresh the member’s records from AfyaYangu in real time and an orange button to request OTP whitelisting, a function that modifies a member’s actual SHA account settings. The agent who sent these screenshots to a borrower described themselves, when confronted directly, as working for Tena Pesa.

A second set of screenshots, from a separate agent operating from a different number, shows the SHA record of the borrower’s brother, including the brother’s name, employer identification, insurance policy period, and relationship status within the SHA system.

The employer in question, Oxygene Marketing Communication, a Nairobi-based advertising firm located at Two Rivers Mall on Limuru Road, was identified not from any contact or reference list provided by the borrower. It was pulled directly from the SHA database, where the brother’s SHA contributory employer was recorded.

The same agent then threatened to send correspondence to the official email addresses and phone numbers of Oxygene Marketing Communication, information also sourced, they confirmed, from within the SHA system.

When asked directly how they had access to SHA and the wider Universal Health Coverage system, the agent responded casually: “Let me do it. Tupate pesa. Then I tell you more about it. Am very idle. I got lot of time to explain.” The agent later confirmed, unprompted, that this access is used against multiple borrowers. “You are not the first person,” the agent told the borrower.

A third agent, using a WhatsApp number with the display name MODERATE, sent a stream of messages containing the borrower’s employer details sourced from the SHA system, repeated six times in succession, before issuing a tirade demanding loan repayment. The same shortcode channel sent messages containing details that could only have originated from the SHA database.

The Companies: Who Are Tuma Cash, DG Loan, and Tena Pesa?

Payablu Credit Limited, the company behind the Tuma Cash lending application, is registered in Kenya and offers short-term mobile loans typically repayable within seven days.

Loan Plus Digital Credit Provider Limited, operating the DG Loan application, markets itself on the Apple App Store as a fast, secure, and fully licensed lender offering loans of up to Ksh 900,000 at stated APRs of between 12 and 36 percent.

Its developer privacy disclosures on the App Store acknowledge that the application collects location data, contact information, identifiers, and usage data, and that this data may be used to track users across other apps and websites.

Gotway Limited operates Tena Pesa, a third mobile lending application with a similar seven-day product structure.

All three companies entered the market by offering instant, paperless loans disbursed directly to M-Pesa. All three required, as a condition of loan disbursement, access to a borrower’s phone data including contacts, a practice that has long served as the foundation for the harassment-by-contacts model that Kenyan regulators have spent years attempting to suppress.

What distinguishes this case from ordinary digital lending harassment, however, is not the contact harvesting. It is the apparent integration with, or infiltration of, a government health database.

The critical question is not only how these companies obtained access to SHA records, but whether that access was granted officially, procured through a rogue employee or contractor within the Digital Health Agency or SHA, or achieved through an API vulnerability that nobody in government has yet acknowledged. None of the three companies responded to questions sent by Kenya Insights prior to publication.

The Warning That Went Nowhere: DHA’s Deafening Silence

On April 13, 2026, a Nairobi resident who had been subjected to the attacks prepared a formal complaint letter addressed to three senior officials: Mr. Mohamed I. Amin, Director of Criminal Investigations; Eng. Anthony Lenaiyara, Acting CEO of the Digital Health Agency; and Dr. Kamau Thugge, Governor of the Central Bank of Kenya.

The letter, which Kenya Insights has reviewed in full, described in methodical detail the specific companies involved, the nature of the access, the personal data that had been extracted, and the legal provisions it violated. It attached evidence and invoked Section 16 of the Access to Information Act 2016.

On April 15, 2026, the complainant sent a follow-up email directly to the CEO Office of the Digital Health Agency, attaching the full complaint letter and marking it urgent.

The subject line was clear: Sha Data Breach Complaint. The email named Payablu Credit, Loan Plus Digital Credit, and Gotway Limited explicitly. It described the live, ongoing nature of the breach and asked that it be contained immediately. It noted that over 30 million Kenyans had been exposed.

Six weeks have passed. Eng. Lenaiyara has not responded. The DHA has issued no public statement about the breach. The SHA system, as far as any available public evidence indicates, has not been secured against this specific form of access. No arrest has been made. No company has been sanctioned. No investigation has been publicly announced.

The irony is difficult to overstate.

In December 2025, Eng. Lenaiyara told the media that the AfyaYangu platform is anchored under the Digital Health Act 15 of 2023 and that legal provisions exist to safeguard against risks around sensitive medical records.

In June 2025, he stood beside Cabinet Secretary Aden Duale at Afya House to announce that digital transformation is the backbone of an efficient and transparent healthcare system.

Just weeks before the SHA email arrived in his office, his agency was still issuing press statements boasting about portability of patient data across health facilities. The patient data was portable, indeed. Portable straight into the hands of a debt collector at a Nairobi loan app.

The Digital Health Information Management Procedures Regulations of 2025, promulgated by the DHA’s own parent framework, require any health data controller to notify the CEO of the DHA within 48 hours of becoming aware of a data breach.

They require a full incident report within 72 hours.

They require implementation of an Incident Response Plan. Eng. Lenaiyara’s office was the recipient of the notification. His office is also, under the same framework, the body legally required to act on it. He received the complaint. He did nothing.

A System Already Bleeding: SHA’s Catastrophic Security Record

The data breach documented in this investigation does not exist in isolation.

It is the latest wound on a health system that has bled consistently since SHA began operations in October 2024.

The Auditor-General’s office has flagged Ksh 50 billion in unsupported, irregular, or untraced payments from the Social Health Insurance Fund in the year ending June 2025.

Within that sum, Ksh 7.3 billion that SHIF reported transferring to SHA is not reflected in SHA’s own accounts. The money has simply vanished. A further Ksh 4.78 billion was disbursed using service codes that have never been gazetted. The system that was supposed to end the corruption of NHIF has thus far produced a scandal of staggering proportions.

In October 2025, a catastrophic data breach struck M-TIBA, a Safaricom-backed mobile health platform.

A threat actor known as Kazu claimed to have stolen 2.15 terabytes of health data covering up to 4.8 million users, including medical diagnoses, billing records, national identification numbers, and clinical visit histories from approximately 700 health facilities.

The breach was advertised on dark web forums, with a 2 gigabyte sample offered as proof of access. The Office of the Data Protection Commissioner launched an investigation. No prosecution has been publicly confirmed to date.

Then in March 2026, SHA’s own digital platform suffered what it described as a critical system failure, taking down pre-authorisation services across contracted health facilities nationwide for days.

SHA CEO Dr. Mercy Mwangangi issued a public notice but offered no technical explanation of the failure’s origin.

The pattern is consistent: a system of extraordinary national sensitivity, holding the health and biometric data of tens of millions of Kenyans, suffering repeated crises, with no accountability and no forensic transparency.

Between April and June 2025, the Communications Authority of Kenya recorded more than 4.6 billion cyberattacks against Kenyan digital infrastructure, an 80 percent increase from the previous quarter.

Kenya’s digital health systems are being built faster than they are being secured.

The SHA database, containing 30 million members’ medical and biographical records, sits at the intersection of every vulnerability in that ecosystem.

The Wider Scandal: An Industry Built on Stolen Data

The digital lending industry’s relationship with data it has no right to possess is not a new story in Kenya.

By early 2025, the Office of the Data Protection Commissioner had received more than 4,000 complaints from Kenyans alleging that digital lenders had misused their personal data. Of those, only a fraction resulted in formal investigations.

The ODPC has signalled that it will audit at least 40 digital lenders for data breaches, but enforcement has been characterised by legal experts as slow and administratively thin against an industry that moves at the speed of a WhatsApp message.

What makes the SHA breach qualitatively different from the known offences of the digital lending sector is the nature of the data being accessed. When a loan app harvests your contacts and calls your mother, it is committing an offence under the Computer Misuse and Cybercrimes Act and the Data Protection Act.

When a loan app is operating inside the government’s national health database, refreshing your medical records in real time, viewing your coverage details, accessing your employer’s information from your SHA registration, and threatening to weaponise that information unless you pay a loan, it has crossed into territory that the complaint letter accurately describes as a national security matter.

The agent who identified as working for Tena Pesa did not merely boast of having access. They confirmed, without any apparent concern about legal consequences, that this was routine. “You are not the first person,” they said.

That statement implies an established practice, a business model that incorporates unauthorised health data access as a standard tool of debt recovery.

The question for investigators is therefore not only how many borrowers of Tuma Cash, DG Loan, and Tena Pesa have had their SHA records accessed and weaponised, but whether other digital lenders operating in Kenya have found the same door open.

The Business Laws (Amendment) Act, 2024, which took effect on January 1, 2025, elevated harassment by digital lenders from an administrative infraction to a criminal offence.

The CBK Digital Credit Providers Regulations 2022 explicitly prohibit contacting third parties, including family members and employers, without prior consent.

The Computer Misuse and Cybercrimes Act 2018 criminalises unlawful access to computer data under Section 5 and computer fraud under Section 26. The Penal Code provides for prosecution under handling stolen goods at Section 322 and conspiracy at Section 393.

The Data Protection Act authorises the ODPC to impose fines of up to Ksh 5 million or two percent of annual turnover, whichever is higher.

The law is comprehensive. The evidence is documented. The complaint was filed. The agency responsible for security was formally notified. Nothing happened.

Questions That Demand Immediate Answers

Kenya Insights sent questions to the Digital Health Agency, the Social Health Authority, the Office of the Data Protection Commissioner, the Directorate of Criminal Investigations, and the three companies named in this investigation: Payablu Credit Limited, Loan Plus Digital Credit Provider Limited, and Gotway Limited. At the time of publication, none had responded.

The questions that require urgent public answers are these: How did employees or agents of these three digital lending companies obtain what appears to be live, interactive access to the SHA member database? Was this access granted through a formal integration, procured through a corrupt insider within the DHA or SHA, or achieved through an unpatched vulnerability in the system architecture? How many Kenyan borrowers across all digital lenders have had their SHA records accessed without their knowledge or consent? What disciplinary or criminal action is being taken against the named companies, their directors, and their agents? And why has Eng. Anthony Lenaiyara, the Acting CEO of the Digital Health Agency, failed to respond to a formal breach notification submitted to his office six weeks ago?

Eng. Lenaiyara has been publicly articulate about the promise of digital health in Kenya. He has spoken at international forums, briefed parliamentary committees, and championed the AfyaYangu platform as a transformative tool. But a system that stores the medical history of 30 million Kenyans is only as valuable as its security, and a regulator is only as credible as his willingness to act when the system fails. The evidence presented in this investigation suggests that, on both counts, the Digital Health Agency has failed catastrophically.

What Must Happen Now

The DCI must immediately investigate Payablu Credit Limited, Loan Plus Digital Credit Provider Limited, and Gotway Limited for offences under the Computer Misuse and Cybercrimes Act, the Data Protection Act, the Penal Code, and the Anti-Money Laundering and Combating of Terrorism Financing Act.

The investigation must include a full forensic audit of how these companies obtained SHA system access, who within the government or the technology supply chain facilitated that access, and how many individuals have been affected.

The ODPC must immediately audit all licensed and unlicensed digital lenders for SHA system access and impose emergency enforcement measures against those found to be operating in the database. The CBK must suspend or revoke the licenses of the named companies pending investigation. The Ethics and Anti-Corruption Commission must examine whether any official within the DHA or SHA enabled or facilitated this access.

And Cabinet Secretary Aden Duale, who has championed digital transformation at SHA with great political energy, must now answer for the man he appointed to guard it. Eng. Anthony Lenaiyara received a written, documented, evidence-backed breach notification six weeks ago. He is still in his office. The SHA database is still running. The companies that accessed it have not been charged.

The health records of 30 million Kenyans were not an abstraction. They were a weapon. And someone in government left the armoury unlocked.