Massive Data Breach Hits SafaricomBacked MTIBA Exposing Millions of Kenyan Patients Records Dawan Africa Dawan Africa

pLoadingppLoading article contentppUncovering the Continent Through Its Own LensppGet the latest breaking news and analysis delivered to your inboxppJoin our community of informed readers Unsubscribe anytimepp 2025 Dawan Africa All rights reservedppDesigned and Developed by Kulmi DigitalppKenya 28 October 2025 Kenyas digital health sector is facing a major cybersecurity crisis after hackers claimed to have stolen a massive trove of personal and medical data from MTIBA a Safaricombacked mobile health platform The alleged breach said to involve over 215 terabytes of information could expose the records of up to 48 million users making it one of the largest data leaks in Kenyas historyppppA threat actor known as Kazu announced the breach on dark web forums advertising the stolen database and sharing a 2GB sample file as proof The sample reportedly contains the details of more than 114000 users including both account holders and their beneficiaries The leaked information allegedly includes full names national ID numbers phone contacts dates of birth medical diagnoses and billing records along with data from about 700 health facilitiesppppCybersecurity analysts warn that the breach could expose highly sensitive patient information linking individuals to specific diagnoses and hospitals If verified it represents a serious violation of privacy and data protection laws leaving victims vulnerable to identity theft insurance fraud and blackmailppppMTIBA developed by CarePay in partnership with Safaricom and the PharmAccess Foundation has been hailed as a cornerstone of Kenyas healthtech ecosystem since its launch in 2016 The platform allows users to save send and spend money specifically for healthcare and helps manage insurance benefits and government health subsidies By 2024 MTIBA had more than 4 million users and partnerships with over 3000 hospitalsppppIn a statement CarePay neither confirmed nor denied the incident but said it was actively investigating the claims At MTIBA we take all matters of data security with the utmost seriousness a company representative said requesting access to the leaked files to assist with internal investigationsppppThe Office of the Data Protection Commissioner ODPC confirmed awareness of the alleged breach but declined to comment further citing an ongoing investigation Under Kenyas Data Protection Act 2019 companies are required to report breaches within 72 hours of discovery though no official notice has yet been made publicppppIronically the incident comes just two months after MTIBA announced it had achieved ISOIEC 270012022 certification an international standard for information security managementppppThe breach highlights a worrying trend as Kenyas digital expansion continues to outpace its cybersecurity readiness Between April and June 2025 the Communications Authority recorded over 46 billion cyberattacks an 80 jump from the previous quarter With platforms like MTIBA handling sensitive data daily experts warn that without stronger defenses more breaches could be loomingp