It started with a post on a dark corner of the internet, on a Telegram channel. A hacker group calling itself “Kazu” makes a horrifying claim. You can see it in a screenshot they posted. They claim to have hit M-Tiba and stolen 2.15 terabytes of data.
They say it’s 17 million files. And they claim it could affect up to 4.8 million people. This isn’t a “maybe.” This isn’t a threat. It’s a sales pitch. They’ve even put a price on it.
This is where it goes from a “tech problem” to a human one. To prove they’re serious, Kazu dropped a 2GB “sample.” And when you look at the files they shared, your stomach drops.
It’s not just spreadsheets. It’s things like the M-Tiba claim form. It’s a real scan of a real piece of paper. You can see a patient’s name. Their ID number. Their phone number.
And right there, in the “Doctor’s Notes” section, you can see handwritten details. Medical codes. A signature. Then you see another file. It’s an invoice. An Equity Afya clinic is billing M-Tiba’s parent company, CarePay. It lists the patient’s name, their member number, the exact date of their visit, and what they were there for. “Consultation.” “Lab Test.”
This is the digital twin of your most private moment, sitting in a doctor’s office, worried, vulnerable. And it’s now a product for sale.
Why This Breach Is a Nightmare
To understand why this is so bad, you have to understand what M-Tiba is. This wasn’t just some random app. M-Tiba was one of Kenya’s great “good-for-society” tech stories. It was launched in 2016, backed by giants like Safaricom and the PharmAccess Foundation.
- What is it? It’s a “digital health wallet.” The idea was brilliant. It lets people save, spend, and receive money specifically for healthcare.
- For millions of Kenyans, it was a practical path to affording a doctor’s visit. It was a digital “piggy bank” for health.
- It was also a massive clearinghouse, used by insurance companies and even the government to distribute health subsidies.
This is the devastating irony. The platform was built on trust. It was a haven for your health funds. And that very trust, that concentration of data, over 4 million users, 3,000+ hospitals, is what made it such a high-value target. The hackers didn’t just steal data. They stole the most sensitive data.
Under Kenya’s Data Protection Act of 2019, this stuff is in its own special category.
- What is “Sensitive Personal Information”? The law is very clear. It’s not just your name or phone number. It is, by definition, your health data, your genetic data, your biometric data. This is the highest class of protected information.
- A breach of this data isn’t just a PR problem; it’s a catastrophic legal and ethical failure.
The Sound of Silence
So, what do the people in charge say? This is where the story gets even more unsettling. M-Tiba (operated by CarePay) didn’t confirm or deny the breach. When asked, their response was a very careful, corporate “We take all matters… with the utmost seriousness… could you please share the specific source links… to aid our internal investigation?”
They asked the journalists to send them the stolen files. And the government? The Office of the Data Protection Commissioner (ODPC), the very agency created by that 2019 law to protect citizens, gave a chillingly vague, “We’re not authorised to comment on an active matter.”
The Bigger Picture: A House on Fire
This M-Tiba disaster isn’t a random spark. It’s a massive fire in a house that’s already burning. Kenya has been in a mad dash to digitise everything. And that digital shift, as you said, is “outpacing its cybersecurity capacity.”
- Just last year, the e-Citizen platform, the central hub for all government services, was hit by a massive hack.
- The Communications Authority (CA) reported that between just April and June of this year, they detected 4.6 billion cyber threats, an 80% jump from the previous quarter.
We’re in a new, wild, digital world. And the M-Tiba story is a brutal lesson: The same tools that can be a “lifeline” for millions can, in the wrong hands, become a weapon. And right now, 4.8 million people are waiting to find out just how badly that weapon has been used against them.
