A cyberattack targeting M-Tiba, a Kenyan healthtech platform, went unnoticed for 10 days, exposing personal and medical data belonging to nearly five million Kenyans, according to an internal report obtained.

The report, prepared by M-Tiba’s operator CarePay Limited and shared with insurance firms such as Jubilee, Fidelity, GA Insurance, and AAR Insurance, disclosed that the breach occurred between October 17 and 25 but was only identified on October 27 at 1:23 p.m.

It depicts a situation marked by slow detection, minimal communication, and possible breaches of Kenya’s data protection regulations.

10-day window of exposure

CarePay explained that the attack began after a third-party healthcare provider’s device was compromised, allowing hackers to steal user credentials. With these credentials, the attackers gained unauthorized access to M-Tiba’s Version 2 platform, retrieving large volumes of insurance claims, patient details, and clinical information.

“Approximately 4.8 million records were illegally obtained in relation to beneficiaries and claims across various healthcare payers,” CarePay said in the report. “A sample of the dataset has been made available for downloading via the dark web.”

Although CarePay has yet to contact affected individuals directly, it stated that data controllers — mainly the insurance companies — have been notified and are responsible for informing users.

“As the processor, we have informed the controllers who will subsequently inform data subjects,” the report said.

CarePay did not issue a comment when contacted.

The compromised information includes financial records (such as insurance claims, benefit limits, and utilization), personally identifiable details (including full names, ID numbers, photos, and contact information), and sensitive medical data like diagnoses, lab results, prescriptions, and discharge summaries.

The breach impacts insurance companies, healthcare providers, and policyholders — including minors.

A review of the leaked data revealed that nearly all major insurers were affected, along with thousands of healthcare facilities — public, private, and faith-based — across Kenya, including rural regions. This suggests the scale of the breach may be much larger than initially reported.

Silence and confusion

Sources at Jubilee and AAR Insurance reported that they only became aware of the breach through the media, not via direct communication from CarePay or the Office of the Data Protection Commissioner (ODPC).

The regulator appeared to confirm this communication gap. In a public statement issued on October 29, the ODPC said it learned of the breach from news reports.

“The ODPC is aware of media reports that mobile-health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users,” the regulator said.

ODPC did not respond to the follow-up request for comment.

Under Kenya’s Data Protection Act (2019), data processors and controllers must report breaches within 72 hours of detection and promptly notify affected individuals if the breach poses a high risk to their rights or freedoms.

CarePay’s timeline indicates that the attack remained undetected for 10 days, and that neither M-Tiba nor its partner insurers have informed affected users.

“As the processor, we have informed the controllers who will subsequently inform data subjects,” the company reiterated, placing the responsibility on insurers and health payers.

Regulatory investigation

The ODPC has launched an investigation into the breach. An official confirmed that the office had received CarePay’s report and was assessing whether the company adhered to Kenya’s data protection requirements.

If found to have breached the reporting or notification obligations, CarePay could face fines or enforcement actions under the Data Protection Act.

Launched in 2016 through a collaboration between CarePay, Safaricom, and the PharmAccess Foundation, M-Tiba enables users to save, pay, and manage funds dedicated to healthcare. The platform processes millions of insurance and direct medical payments each year and claims to work with more than 3,000 hospitals across Kenya.