Claims of a major data breach at M-TIBA, Kenya’s mobile health wallet operated by Safaricom, have sparked concern over how health platforms handle sensitive personal data. The alleged hack, said to involve millions of users’ details, comes at a time when digital health systems are becoming central to care delivery and insurance administration across the country.
A user on social media platform X called @_mailler claims that a threat actor named “Kazu” had leaked what they claim is 2.15 terabytes of data from M-TIBA, containing over 17 million files.
The alleged sample, which is approximately 2GB in size, is reported to include personal details of around 114,000 users, including names, national ID numbers, phone numbers, and dates of birth. It also allegedly contains diagnostic and billing data from nearly 700 health facilities.
The hacker claims the full dataset involves 4.8 million M-TIBA users. Some of the sample files, according to online accounts, include patient medical records, insurance information, and PDF scans showing ID and contact details.
Neither M-TIBA nor the Office of the Data Protection Commissioner (ODPC) have issued public statements confirming or denying the breach.
M-TIBA was launched in 2015 by Safaricom in partnership with CarePay and the PharmAccess Foundation to let users save, send, and spend money specifically on healthcare.
With only one in five Kenyans covered by any form of health insurance, the platform sought to fill a crucial gap by making health payments simpler and more transparent. Funds stored in the M-TIBA wallet can only be used at accredited healthcare facilities, ensuring that they are directed directly toward medical expenses.
Over the years, M-TIBA has grown to serve more than 4.8 million users and now supports large-scale donor and government health financing schemes.
The model has been praised for improving access and accountability in healthcare spending. But it also exposes fault lines in digital inclusion—many low-income Kenyans remain excluded because they lack phones, national IDs, or digital literacy.
Safaricom, which provides the mobile infrastructure that powers M-TIBA, has yet to comment on the reported breach.
