A threat actor is advertising a colossal data set on a cybercrime forum, allegedly containing the personal and medical records of 4.8 million users.
A major Kenyan mobile health and insurance platform, M-Tiba, is at the center of a colossal alleged data breach. A threat actor, identified as “Kazu,” is claiming to have exfiltrated 2.15 terabytes of data, including highly sensitive patient diagnoses and personal identity information.
The breach was first detailed in a comprehensive thread on X (formerly Twitter) by the user @_mailler. According to screenshots posted in the thread, the hackers are advertising the data on the cybercrime forum darkforums[.]st, claiming the full dump contains 17,158,105 files.
In a screenshot of what appears to be a direct message, the threat actor claims the total number of impacted users is 4.8 million.
The hackers provided a 2GB sample to substantiate their claims, and the details are alarming. According to the analysis by @_mailler, the sample alone contains data on over 114,000 M-Tiba users, including both account holders and their beneficiaries. This dataset is a trove of personally identifiable information (PII), reportedly including:
- Full names
- National ID numbers
- Telephone numbers
- Dates of birth
- Gender
The breach appears to extend far beyond user registration data and deep into clinical operations. The sample reportedly includes a data dump from “nearly 700” health facilities. JSON snippets posted in the thread show patient names, email addresses, phone numbers, and “treatmentDiagnoses” fields, all linked to specific providers like “Equity Afia Medical Centre- Agro House.”
Furthermore, the researcher notes the sample contains approximately 2,600 PDF scans. These files allegedly contain detailed billing and diagnosis breakdowns for patients, exposing their full names, ID or Passport numbers, email addresses, and even the full names of their doctors.
The scale of this alleged breach is staggering. M-Tiba is a cornerstone of Kenya’s digital health ecosystem, and the leak of protected health information (PHI) combined with financial and personal identity data (PII) on this scale would be a catastrophic privacy failure. It exposes millions of Kenyans to severe risks, including identity theft, financial fraud, and the public disclosure of their private medical histories.
