A hacker named “Kazu” is advertising a data set on darkforums[.]st a cybercrime forum. The data allegedly from M-Tiba a Kenyan mobile health and insurance platform and contains personal and medical records of 4.8 million users.
Kazu claims to have accessed 2.15 terabytes of data, including highly sensitive patient diagnoses and personal identity information.
The breach was first detailed in a comprehensive thread on X . According to screenshots posted in the thread, the hackers are advertising the data on the cybercrime forum and are claiming the full dump contains 17,158,105 files.
So, M-Tiba got hacked and according to the hackers, Kazu, the data leak contains 17,158,105 files and is 2.15TB in size.
They have provided a sample of ~2GB that contains patients diagnosis data by the health providers, and PII leak for Kenyans who use that.
Here’s a thread.
1/ pic.twitter.com/Ic7sIuCvKl— mailler (@_mailler) October 27, 2025
The hackers provided a 2GB sample to substantiate their claims. According to the analysis by @_mailler, the sample alone contains data on over 114,000 M-Tiba users, including both account holders and their beneficiaries.
The dataset is a trove of personally identifiable information (PII), reportedly including.
- Full names
- National ID numbers
- Telephone numbers
- Dates of birth
- Gender
The breach appears to extend far beyond user registration data and deep into clinical operations. The sample reportedly includes a data dump from “nearly 700” health facilities. JSON snippets posted in the thread show patient names, email addresses, phone numbers, and “treatment Diagnoses” fields, all linked to specific providers like “Equity Afia Medical Centre- Agro House.”
Furthermore, the researcher notes the sample contains approximately 2,600 PDF scans. These files allegedly contain detailed billing and diagnosis breakdowns for patients, exposing their full names, ID or Passport numbers, email addresses, and even the full names of their doctors.
The scale of this alleged breach is staggering. M-Tiba is a cornerstone of Kenya’s digital health ecosystem, and the leak of protected health information (PHI) combined with financial and personal identity data (PII) on this scale would be a catastrophic privacy failure. It exposes millions of Kenyans to severe risks, including identity theft, financial fraud, and the public disclosure of their private medical histories.