The Office of the Data Protection Commissioner (ODPC) has moved swiftly to address mounting public concern following reports of a possible data breach involving M-Tiba, Kenya’s popular mobile health-wallet platform.
In a statement issued on Wednesday, October 29, the ODPC confirmed it had taken note of claims circulating in the media suggesting that M-Tiba may have suffered a cyber incident that could have exposed users’ personal and health data.
“The Office of the Data Protection Commissioner (ODPC) is aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users,” the statement read in part.
The regulator underscored that protecting citizens’ privacy — especially sensitive medical data — remains a top priority, promising swift and decisive action in line with the Data Protection Act, 2019 and its accompanying regulations.
“Our priority is to protect the rights of all data subjects, particularly given the sensitivity of health-related information, and ensure that appropriate action is taken,” the ODPC added.
Ongoing Investigations
The ODPC further disclosed that it is engaging directly with M-Tiba and other stakeholders to determine the extent and impact of the alleged breach.
“At this stage, the ODPC is actively engaging with the Data Processor, M-Tiba, and other stakeholders to establish the full facts of the situation,” the agency stated.
M-Tiba, developed as a digital platform to help Kenyans save, send, and spend funds specifically for healthcare, has millions of users across the country. A breach involving such sensitive data could therefore have far-reaching implications on digital trust in the health sector.
Wider Scrutiny in Digital Health
This incident comes just months after the ODPC announced an audit on the Social Health Authority (SHA) over privacy and data-handling concerns.
Speaking on March 5, Data Commissioner Immaculate Kassait emphasized that while SHA had conducted a Data Protection Impact Assessment (DPIA), it would not be exempt from further audits.
“They (SHA) have reached out to us and undertaken a Data Protection Impact Assessment, but that doesn’t mean we cannot go and do a post-audit,” Kassait said. “One of the areas we’ve identified for audit is digital health information — something we have scheduled as an office to undertake.”
Kassait further highlighted the critical role of third-party agreements in safeguarding data when it is hosted externally, insisting that consent from patients must always be obtained.
“What’s important when data is being hosted by a third party is the third-party agreement; that is absolutely essential. We have assessed SHA’s data protection impact assessment and identified gaps. We have insisted that when it comes to access to third-party data, they must get consent from the patients,” she noted.
Rising Data Privacy Concerns
The M-Tiba incident adds to a growing list of privacy scares in Kenya’s expanding digital ecosystem, with the ODPC recently recommending prosecution of several corporate directors for non-compliance with data protection laws.
As investigations continue, the ODPC has assured Kenyans that measures are being taken to uphold data integrity and accountability, warning all data processors and controllers — particularly those in health and fintech — to adhere strictly to privacy regulations or face legal consequences.
Leave a Reply