Ultrahuman, an India-based wearable health-tech startup, has confirmed that hackers gained unauthorized access to customer wellness data after compromising an employee's laptop with malware. The breach, which occurred on March 27, affected an internal analytics system and exposed health information for approximately 700 customers, representing 0.1% of the company's roughly 700,000 monthly active users. The company notified affected customers via email on Wednesday, several days after the incident.
Founded in 2019, Ultrahuman manufactures smart rings and metabolic health-tracking devices that monitor sleep, activity, and recovery metrics. The startup competes directly with Oura Ring through its Ring Air product and recently launched the Ring Pro with enhanced sensors and battery life. The company has raised approximately $103 million from investors including Nexus Venture Partners, Steadview Capital, and Blume Ventures.
The attackers obtained credentials from an employee's malware-infected laptop, which granted them access to the internal analytics system. According to the company's FAQ, the threat actor gained read-only access to the affected system. However, Ultrahuman declined to confirm whether its investigation determined if customer data was actually exfiltrated from the system. The company also refused to specify what types of information constitute "wellness data" or whether the hackers made any contact or demands.
Ultrahuman CEO Mohit Kumar stated that the company's security alerting systems detected the incident within hours, and the team immediately closed the vulnerability and revoked all access. The company emphasized that no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised during the breach. Kumar explained that the delay in notifying affected users was necessary to audit the full scope of the incident and determine exactly what data had been affected. The company said it is notifying relevant regulators about the breach.
The incident highlights ongoing security concerns with wellness tracker companies that store sensitive health data on centralized servers accessible to employees. This architecture creates potential access points for malicious actors, as well as governments and internal personnel. Organizations using similar devices should review their data handling practices and consider whether employees require access to production customer data. Companies should implement strict access controls, monitor for credential theft, and deploy endpoint protection on all devices with access to customer information.
Source: https://techcrunch.com/2026/06/03/ultrahuman-says-hackers-accessed-customers-wellness-data-via-internal-tool/