Data Commissioner Immaculate Kassait during a past event/FILEThe Office of the Data Protection Commissioner (ODPC) has launched investigations into a suspected data breach affecting users of mobile health-wallet platform M-Tiba.
In a statement issued Wednesday, the ODPC said it had taken note of media reports suggesting that M-Tiba may have experienced a cyber incident resulting in the potential exposure of users’ personal and health-related data.
“Our priority is to protect the rights of all data subjects, particularly given the sensitivity of health-related information, and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations,” the ODPC said.
The regulator confirmed that it is in contact with M-Tiba, the data processor, as well as other relevant stakeholders, to establish the full facts of the incident.
“At this stage, the ODPC is actively engaging with M-Tiba and other stakeholders to determine the nature and scope of the possible breach,” the statement added.
While the extent of the alleged cyber incident remains unclear, the ODPC has assured the public that it will take necessary steps to ensure accountability and protect affected individuals.
The Data Protection Act requires all data controllers and processors to implement robust security measures to safeguard personal data against unauthorised access, loss, or disclosure.
It also mandates prompt notification to the ODPC and affected data subjects in the event of a breach that poses a risk to their rights and freedoms.
M-Tiba, a popular mobile-based health financing platform, enables users to save, send, and spend money specifically for healthcare services through a digital wallet. It is widely regarded as one of Kenya’s standout digital innovations.
Launched in 2016 through a partnership between CarePay, Safaricom, and the PharmAccess Foundation, M-Tiba allows users to manage healthcare funds, receive insurance benefits, and access government health subsidies directly from their phones.
The platform has become an integral part of Kenya’s push toward inclusive digital health financing.
According to its privacy policy, M-Tiba defines personal data as any information that can be traced back to an identifiable individual user.
This includes details such as a person’s name, address, national identification number, telephone number, fingerprint (where biometric identification is used), medical records, location data, and membership or policy numbers.
The policy further notes that such information may also cover individuals connected to a user’s healthcare program, including spouses, children, or other registered dependents.
To enhance data security, the platform states that personal information may be pseudonymised or anonymised when possible.
However, M-Tiba acknowledges that while it strives to uphold stringent safeguards, no digital security system is entirely foolproof due to the inherent risks of internet-based operations.
“We cannot guarantee that information, during transmission or while stored on our systems or otherwise in our care, is totally safe from intrusion by others,” the company notes in its policy statement.
To minimise potential risks, users are urged to take responsibility for protecting their accounts by not sharing login credentials, ensuring private network access, and maintaining secure storage of their information.
