The Office of the Data Protection Commissioner (ODPC) has acknowledged media reports suggesting that M-Tiba mobile health-wallet platform may have suffered a cyber incident that potentially exposed users’ personal and health data.
In a statement on October 29, ODPC assured the public that appropriate action would be taken in line with the Data Protection Act, 2019, and its accompanying regulations.
“The Office of the Data Protection Commissioner (ODPC) is aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users,” read part of the statement.
The ODPC added that it is currently engaging with M-Tiba and other relevant stakeholders to ascertain the full details of the alleged breach.
M-TIBA helps insurers digitize to give members 24/7 access to their insurance benefits, insights, and limits through their mobile phones.
M-Tiba Under Probe Over Alleged Data Breach
On October 25, a hacker group claimed to have stolen millions of medical and personal records from M-Tiba, a digital health wallet, in what could be one of Kenya’s largest data breaches.
A cybercrime group identifying itself as Kazu claimed to have accessed more than 17 million files, amounting to roughly 2.15 terabytes of data from M-Tiba’s servers.
To support their claims, the group shared a 2GB sample on their Telegram channel, Kazu Breach.
Also Read: Govt Issues New Guidelines on Password Storage and Cybersecurity
The leaked sample reportedly contains patients’ names, national ID numbers, phone contacts, dates of birth, and in some cases, medical diagnoses and billing information.
According to files reviewed by TechCabal, the exposed data includes details of about 114,000 users, covering both account holders and their beneficiaries.
Kazu alleged that the total number of affected individuals could reach 4.8 million, although this figure has not been verified.
The leak also includes 2,600 health facility records and scanned PDFs detailing patient diagnoses, treatment costs, and insurer information.
Also Read: Kenyan Banks Lose Ksh1.59 Billion to Hackers
Kazu Data Breaches
Kazu is a coordinated cybercrime network notorious for executing large-scale data breaches targeting public institutions worldwide.
Since emerging in early 2025, the group has been linked to a string of high-profile cyberattacks — including the breach of Nepal’s Ministry of Education, which resulted in the leak of 1.4 terabytes of student records in July, and a May incident that exposed data from nearly two million citizens in the Nepal Police database.
Kazu has also claimed responsibility for intrusions on Kuwait’s Ministry of Public Works and Saudi Arabia’s Taif Municipality.
The syndicate’s operations typically exploit unpatched software vulnerabilities, phishing attacks, and weaknesses in supply-chain systems.
Follow our WhatsApp Channel and X Account for real-time news updates.
