The Office of the Data Protection Commissioner has launched an investigation over a possible data breach involving M-Tiba, a popular mobile health-wallet platform used by thousands of Kenyans.
The ODPC said in a statement on Wednesday, October 29, that it has taken notice of media reports on a purported cyber incident where personal and health-related information belonging to users of M-Tiba may have been compromised.
"The Office of the Data Protection Commissioner (ODPC) is aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users," the statement read.
The ODPC stated that protecting citizens' personal data, especially health information, remains its top priority, assuring Kenyans that swift measures are being taken in line with the Data Protection Act, 2019.
"Our priority is to protect the rights of all data subjects, particularly given the sensitivity of health-related information, and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations," the statement added.
The commissioner's office has already engaged M-Tiba and other key stakeholders to determine the full extent of the alleged breach and assess what security measures the platform has implemented to safeguard user data.
"At this stage, the ODPC is actively engaging with the Data Processor, M-Tiba, and other stakeholders to establish the full facts of the situation," the statement concluded.
The investigation seeks to verify whether any user data has been compromised and to ensure that M-Tiba complies with Kenya's data protection laws regarding the storage and management of sensitive medical information.
This incident follows an earlier move by the ODPC to initiate an audit of the Social Health Authority (SHA) amid concerns over privacy risks in Kenya's expanding digital health ecosystem.
During a previous briefing on March 5, Data Commissioner Immaculate Kassait explained that while SHA had completed a Data Protection Impact Assessment (DPIA), it remained subject to post-audit reviews.
"They (SHA) have reached out to us and undertaken a Data Protection Impact Assessment, but that doesn't mean we cannot go and do a post-audit. One of the places we have identified to do an audit is actually the digital health information. That is something we have scheduled as an office to undertake," she said.
Kassait further stressed the importance of third-party data hosting agreements and obtaining patient consent before sharing personal health data with external service providers.
"What's important when data is being hosted by a third party is the third-party agreement; that is absolutely important. In the case of SHA, they have written to us with a data protection impact assessment, which we have assessed and identified gaps. We have insisted that when it comes to access to third-party data, they must get consent from the patients," she added.
The ODPC reiterated that patient consent and secure third-party data agreements are non-negotiable standards for any organization managing health information, underscoring Kenya's growing commitment to data privacy and digital health security.