Editor's Review

The Office of the Data Protection Commissioner (ODPC) has moved to address concerns following reports of a possible data breach involving M-Tiba.

The Office of the Data Protection Commissioner (ODPC) has moved to address concerns following reports of a possible data breach involving M-Tiba, a popular mobile health-wallet platform. 

In a statement on Wednesday, October 29, the ODPC said it had taken note of the claims circulating in the media regarding a potential cyber incident affecting the platform. 

"The Office of the Data Protection Commissioner (ODPC) is aware of media reports that the mobile health-wallet platform M-Tiba may have experienced a cyber-incident involving the potential exposure of personal and health data of users," the statement read.

The ODPC emphasized that the protection of citizens’ data remains its top priority, especially when it involves health-related details.

"Our priority is to protect the rights of all data subjects, particularly given the sensitivity of health-related information, and ensure that appropriate action is taken in accordance with the Data Protection Act 2019 and its accompanying regulations," the statement added.

Read More

  1. Gov’t Agency to Audit SHA After Privacy Concerns
  2. ODPC Recommends Prosecution of Zuku, Geosky Directors
  3. Data Commissioner Hosts Stakeholders as ODPC Pushes for Data Compliance

The ODPC further revealed that it is in contact with M-Tiba and relevant stakeholders as part of an ongoing investigation to determine the extent of the alleged breach.

"At this stage, the ODPC is actively engaging with the Data Processor, M-Tiba and other stakeholders to establish the full facts of the situation," the statement concluded.

File image of an M-Tiba truck during a past roadshow

This comes months after the ODPC scheduled an audit on Social Health Authority (SHA) over privacy concerns.

Speaking on Wednesday, March 5, Data Commissioner Immaculate Kassait said that while SHA had reached out to the ODPC and conducted a Data Protection Impact Assessment (DPIA), it did not exempt them from further scrutiny.  

"They (SHA) have reached out to us and undertaken a Data Protection Impact Assessment, but that doesn’t mean we cannot go and do a post-audit. One of the places we have identified to do an audit is actually the digital health information. That is something we have scheduled as an office to undertake,” she said.

Additionally, Kassait highlighted the importance of third-party agreements in cases where data is hosted externally.

"What’s important when data is being hosted by a third party is the third-party agreement; that is absolutely important. In the case of SHA, they have written to us with a data protection impact assessment, which we have assessed and identified gaps. 

"We have insisted that when it comes to access to third-party data, they must get consent from the patients," she added.