Wearable health tech startup Ultrahuman said hackers gained unauthorized access to customers’ wellness data after stealing an employee’s credentials through malware. The breach affects at least 700 users of the company’s smart rings and metabolic health tracking devices.
The incident highlights growing security concerns around wellness tracker companies that store sensitive health data on their servers, making the information accessible to employees, governments, and potentially malicious actors. As consumers increasingly rely on wearable devices to monitor their health, the security of this intimate data becomes more critical.
On Wednesday, the India-based startup informed affected customers of the incident via email, stating that the breach occurred on March 27 and involved a system used for internal analytics. The company reported it detected the intrusion promptly, took the affected system offline, and revoked all access.
Founded in 2019, Ultrahuman sells smart rings and metabolic health-tracking devices that enable users to monitor metrics such as sleep, activity, and recovery. The startup is best known for its Ring Air, which competes with the popular Oura Ring, and recently introduced the Ring Pro with upgraded sensors and battery life.
The attackers gained access using credentials stolen from an employee’s malware-infected laptop, resulting in wellness data belonging to about 0.1% of users being accessed. Based on the company’s previously reported figure of roughly 700,000 monthly active users, that would equate to at least 700 customers who had their health data compromised. Ultrahuman did not dispute this figure but declined to disclose the exact number of customers affected.
The company said no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised. However, the nature of the “wellness data” accessed remains unclear, as the company declined to specify what information was involved.
“Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” Ultrahuman CEO Mohit Kumar said. Kumar added that the startup was notifying regulators and had delayed informing affected users while it audited the full scope of the incident and determined what data had been affected.
The breach raises important questions about data security practices among wellness tracker companies. These startups typically store users’ highly personal health information on centralized servers, creating potential targets for cybercriminals and privacy concerns for users who may not realize how their data is stored and accessed.
Key details about the breach include:
- Hackers gained “read-only” access to an internal analytics system
- The attack was detected within hours through security alerting systems
- About 0.1% of the user base was affected
- No payment information or device firmware was compromised
- The company has not confirmed whether data was actually stolen
Ultrahuman declined to share details about whether it received any communication from the hackers or confirm whether customer data was actually removed from their systems. The company published an FAQ on its website stating that the threat actor obtained “read-only” access to the affected system, but wouldn’t confirm if its investigation had determined whether any customer data was actually taken.
This incident adds to growing concerns about the security of health data collected by consumer wellness devices. Unlike traditional medical data protected by strict regulations, information gathered by consumer fitness trackers often falls into regulatory gray areas, potentially leaving users with less protection.
Ultrahuman counts Nexus Venture Partners, Steadview Capital, and Blume Ventures among its investors. The startup has raised around $103 million to date, positioning it as a significant player in the competitive wearable health tech market dominated by companies like Oura, Apple, and Fitbit.