The development sector is proud of what it has built. DHIS2 runs national health information systems in more than 80 countries. CommCare supports community health workers at scale. Safaricom-backed M-Tiba distributed insurance benefits and government health subsidies to millions of Kenyans. These are real achievements.
They are also real targets.
In October 2025, a threat actor claimed to have stolen more than 2.15 terabytes of data from M-Tiba’s servers, including patients’ names, national ID numbers, dates of birth, phone contacts, medical diagnoses, and billing information, affecting up to 4.8 million users.
Kenya’s Office of the Data Protection Commissioner confirmed it had opened an investigation. This happened two months after M-Tiba announced it had received ISO 27001 certification for its information security management.
In June 2024, the BlackSuit ransomware group brought down South Africa’s National Health Laboratory Service after a single employee clicked a phishing link. The NHLS runs 265 laboratories serving roughly 80% of South Africa’s population.
The attack delayed an estimated 6.3 million blood tests. HIV, TB, and mpox diagnostics stalled. The NHLS later admitted its systems were “in no way geared to counter” the attack.
No donor has been held accountable for either failure. No implementing partner has faced a regulatory penalty. The people whose data was exposed had no notification, no legal recourse, and no recourse at all.
That is the scandal. Not the breaches. The accountability structure that makes them inevitable.
We’ve Known of Cybersecurity Threats for Years.
USAID formally recognized cybersecurity as a development challenge in its 2020 Digital Strategy. Its 2023 Cybersecurity Primer stated that every USAID activity and program must consider cybersecurity as a strategic and operational matter. The Principles for Digital Development include a dedicated principle on privacy and security.
None of this requires anything.
- There is no mandated budget line for security in digital projects.
- No penetration testing requirement before deployment.
- No security audit required at program closeout.
- No donor publicly discloses what percentage of its digital health portfolio has undergone independent security review.
The commercial IT sector treats 10-15% of total IT budget as a baseline security allocation. No comparable standard exists for development-funded digital systems, because no one publishes the data.
The sector does not measure what it does not believe it owns.
NetHope’s 2023 State of Humanitarian and Development Cybersecurity found that 66% of surveyed nonprofit members reported their cybersecurity programs were underfunded, and 65% were not confident in their cybersecurity posture. Its 2025 report noted a 241% increase in cyberattacks against civil society organizations between 2024 and 2025.
We have had this data for years. The sector wrote recommendations. No one changed the funding requirements.
Scale Without Security Is Just a Bigger Attack Surface
Here is what I find most troubling about the current conversation around digital health global goods. We celebrate the reach. DHIS2 in 80 countries. OpenMRS serving millions. These are cited as evidence that open-source development models work.
They also mean that a vulnerability in a national deployment of any of these platforms is a vulnerability affecting a country’s entire health information infrastructure.
DHIS2 has a dedicated security team, a vulnerability disclosure policy, and solid platform-level security documentation. What it does not publish is results of independent penetration tests on national deployments. Neither does OpenMRS. Neither does CommCare.
Platform-level security and deployment-level security are not the same thing.
The NHLS ran TrakCare, a commercial laboratory information system, from one of Africa’s most sophisticated regulatory environments, under the Protection of Personal Information Act, with an Information Regulator and a national CSIRT.
It was still brought down by a phishing email. The framework existed. The operational investment did not.
INTERPOL’s 2025 Africa Cyberthreat Assessment found that 90% of African countries require significant upgrades to law enforcement and prosecution capacity.
Ransomware detections in Africa rose sharply in 2024.
- South Africa recording nearly 18,000 detections
- Kenya more than 3,000.
- In Tanzania, deepfake-driven fraud surged 317% in a single year.
- In Nigeria, financial institutions lost the equivalent of roughly $35 million to fraud, a 196% increase over five years.
Donors know this threat environment. It is not a surprise. Deploying systems into it without security requirements is a choice.
Who Actually Gets Hurt: Constituents
When M-Tiba’s data was stolen, the records exposed included HIV status, diagnoses, and insurance information. In contexts where HIV disclosure can cost someone their employment, their relationships, or their safety, this is not an abstract privacy violation.
No affected user had been notified as of the most recent reporting. The operator neither confirmed nor denied the breach.
When the NHLS went offline in South Africa, a peer-reviewed account in the South African Medical Journal documented the clinical impact at Tygerberg Hospital alone. The patients affected were overwhelmingly from the public health system, which serves people who have no private alternative.
The pattern is consistent across incidents: the populations development programs were built to serve bear the full cost of security failures, with no legal recourse directed at the organizations that built, funded, or implemented the systems.
I have found no case in which a donor or implementing partner faced regulatory sanction or legal action for a data breach affecting beneficiary populations in an LMIC. That absence is not evidence of good practice. It is evidence that no accountability mechanism currently operates.
What Accountability Would Look Like
I want to be clear that the problem here is structural, not individual. Program managers are not negligent; they are working within incentive structures that treat security as overhead. The fix requires changing those structures at the donor level.
Improving digital development cybersecurity outcomes requires treating security as a structural requirement, not a professional development topic.
NetHope’s Digital Protection Program demonstrates that collective infrastructure, shared threat intelligence, and funded capacity are achievable. The sector has not adopted these approaches at scale because donors have not required it.
Certification and frameworks are necessary conditions, not sufficient ones. The sufficient condition is sustained, funded, audited operational security. That requires donors to stop treating it as optional.
