A hacking group called Kazu says it has stolen over 17 million files containing medical and personal records from M-Tiba, the Safaricom-backed mobile health wallet used across Kenya. If confirmed, this would rank among the largest data breaches in the country’s history.
The group posted a 2GB sample of the alleged stolen data on their Telegram channel. The sample contains records for approximately 114,000 M-Tiba users, including both primary account holders and beneficiaries listed under their accounts.
Kazu claims the full data breach affects 4.8 million people, with 17,158,105 files that total 2.15 terabytes of data.
The leaked sample reveals extensive personal information, with user records including full names, national ID numbers, phone numbers, dates of birth, and gender. The breach isn’t limited to basic account information, either.
One of the samples also contains detailed health facility data with patient diagnosis information, medical billing breakdowns, and treatment records.
Around 700 health facilities appear in the leaked sample data. The facility records contain email addresses and names of healthcare providers, patient names, phone numbers, dates of birth, and transaction amounts.
For roughly 2,600 facilities, the leak includes PDF documents with complete billing and diagnosis breakdowns for individual patients.
These PDF scans expose extremely sensitive data. They contain patients’ full names, ID or passport numbers, phone numbers, email addresses, insurance company names, dates of birth, names of principal members who pay for the coverage, and the full names of treating doctors.
M-Tiba is operated by CarePay, a mobile health data and payment distribution platform based in Kenya. When Techweez asked about the breach, CarePay neither confirmed nor denied that it occurred.
A company representative simply requested specific source links to the posts making these allegations before proceeding with their internal investigation.
READ: NSSF Denies Allegations of Massive 2.5TB Data Breach
The breach raises serious concerns about healthcare data protection in Kenya. Medical records contain some of the most sensitive personal information, including diagnoses that patients may not want disclosed.
Combined with national ID numbers and contact information, the leaked data could enable identity theft, fraud, or targeted scams against vulnerable patients.
Kazu hasn’t explained how they gained access to M-Tiba’s servers or when the intrusion occurred. The group’s motivation for the breach and whether they plan to sell the data or release more of it also remains unknown.
