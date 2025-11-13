Image Source: Zikoko Memes

If you remember when we reported that Kenyan healthtech platform M-Tiba’s systems were breached two weeks ago, there’s more.

Apparently, the hack hid in plain sight for ten whole days. For ten days, CarePay was not aware it had been hacked. And the whole time, the attackers moved through the Kenyan healthtech’s system, collecting sensitive data from nearly five million people.

If you don’t remember, here’s the tea🍵: Kazu, a self-described hacker group, said it gained (unauthorised) access to M-Tiba’s servers and walked away with more than 17 million files, about 2.15 terabytes of data. The group even released a 2GB sample online, containing patient names, national IDs, phone contacts, dates of birth, and in some cases, medical diagnoses and billing details for about 114,000 people across clinics and pharmacies, to prove they were not bluffing.

A TechCabal review of the accessed data found that all major insurance firms were affected, along with thousands of health facilities across the country.

CarePay has not yet contacted the affected individuals. The company says it has informed insurers, who will in turn notify affected patients. Regulators are now investigating to find out whether the company complied with local data laws.

Zoom out: The massive breach raises serious questions about how secure health data really is and whether companies are prepared to detect and stop future attacks.