NAIROBI, KENYA – The Office of the Data Protection Commissioner (ODPC) on Wednesday, October 29, 2025, launched a high-stakes investigation into an alleged massive data breach involving the mobile health wallet M-Tiba. The probe follows claims by a hacker group that it has stolen the sensitive personal and medical records of up to 4.8 million Kenyans, a development that could represent one of the largest data breaches in the nation's history.

The allegations surfaced after a group identifying itself as “Kazu” claimed on cybercrime forums to have exfiltrated 2.15 terabytes of data from M-Tiba's servers. The group reportedly published a 2-gigabyte sample file on the messaging platform Telegram as proof of the intrusion. An initial analysis of the sample suggests it contains the records of approximately 114,000 users, including both primary account holders and their beneficiaries.

The compromised information allegedly includes a vast trove of highly sensitive data: full names, national ID numbers, phone contacts, dates of birth, and, most critically, private medical information such as patient diagnoses and detailed billing records from nearly 700 health facilities. If the hackers' claims are verified, the breach could expose millions of Kenyans to significant risks, including identity theft, financial fraud, and targeted scams.

Official Response and Regulatory Scrutiny

In a statement released on Wednesday, October 29, 2025, the ODPC confirmed its awareness of the incident and the gravity of the potential exposure. “Our priority is to protect the rights of all data subjects, particularly given the sensitivity of health-related information, and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations,” the ODPC stated. The regulator confirmed it is “actively engaging” with M-Tiba and other stakeholders to establish the full scope and nature of the possible breach.

M-Tiba is operated by CarePay, a Kenya-based health technology firm, in partnership with telecommunications giant Safaricom. The platform serves as a crucial digital health wallet for millions, enabling them to save, send, and spend funds for healthcare services. When contacted about the allegations, CarePay neither confirmed nor denied the breach. A company representative stated, “At M-TIBA, we take all matters of data security with the utmost seriousness. As part of our standard protocol, we would like to actively investigate the claims you are referring to,” and requested source links to aid their internal investigation.

Implications Under Kenyan Law

The incident places Kenya's Data Protection Act, 2019, under a significant spotlight. Under this law, medical and health data are classified as “sensitive personal data,” which legally requires the highest standards of protection. The Act mandates that in the event of a breach that poses a risk to individuals' rights, data controllers must notify the ODPC within 72 hours of becoming aware of it.

Should the investigation confirm a breach and find M-Tiba or its operators to be non-compliant with the Act, the penalties could be severe. The law provides for administrative fines of up to KES 5 million or, in the case of a company, up to 1% of its preceding year's annual turnover, whichever is lower. The ODPC has previously issued significant fines for data protection violations, including a KES 4.55 million penalty against a school for posting minors' images without parental consent.

The timing of the alleged breach is particularly concerning, as it comes just months after M-Tiba's operator, CarePay, announced in August 2025 that it had received an ISO/IEC 27001:2022 certification for its Information Security Management System, an international benchmark for data security. This investigation will not only determine the veracity of the hackers' claims but also serve as a critical test of corporate accountability and the enforcement power of Kenya's data protection framework in an era of rapid digitalization. The ODPC has assured the public it will take necessary steps to ensure accountability and protect affected individuals as its investigation proceeds.