The Office of the Data Protection Commissioner (ODPC) has officially broken its silence regarding the massive alleged data breach involving the mobile health-wallet platform M-Tiba. The regulator has confirmed it is actively investigating the situation following reports that highly sensitive medical and personal data belonging to up to 4.8 million Kenyans was exfiltrated and put up for sale online.
In a press statement released earlier today, October 29, 2025, the ODPC stated it is “aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users.”
This official acknowledgement comes a couple of days after the allegations first surfaced, detailing claims by a threat actor named “Kazu” of having stolen 2.15 terabytes of data, including patient diagnoses, National ID numbers, full names, and telephone numbers.
The ODPC stressed that its “priority is to protect the rights of all data subjects,” a concern amplified by the inherent sensitivity of health-related information involved in this case.
"Our priority is to protect the rights of all data subjects—particularly given the sensitivity of health-related information—and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations."At this stage, the regulatory body is not confirming the scale of the breach, but states it is “actively engaging with the Data Processor, M-Tiba and other stakeholders to establish the full facts of the situation.” This engagement is the necessary first step under the Data Protection Act, which mandates clear procedures for handling data breaches.
Here’s the full statement:
The ODPC’s immediate move to open an investigation signifies the seriousness with which the regulator is treating the reports. Should the claims of the 2.15TB data leak, which reportedly includes comprehensive PII and Protected Health Information (PHI) from hundreds of health facilities, be substantiated, M-Tiba could face significant legal and financial consequences under the Data Protection Act 2019. The Act imposes strict requirements on data processors to protect personal information.
This developing situation exposes millions of Kenyans to potential risks of identity theft and financial fraud due to the combination of personal and medical records allegedly exposed.
We will continue to monitor the situation as the ODPC proceeds with its fact-finding mission and, expectedly, M-Tiba provides further clarity to its users and the public.
