Wearable health technology company Ultrahuman has disclosed a data breach that exposed the wellness and account information of some of its customers. The security incident, which occurred on March 27, resulted from an unauthorized third party gaining access to an internal system using stolen employee credentials. The company has since notified affected users and regulatory authorities while implementing enhanced security protocols to prevent future occurrences.
Details of the Security Incident
The breach originated from a malware-infected employee laptop, which allowed attackers to obtain credentials and gain read-only access to an internal analytics platform. Ultrahuman stated that its security systems detected the intrusion within hours of it occurring. The company promptly took the compromised system offline and revoked all access to contain the threat and prevent further unauthorized activity.
According to the company, the breach impacted approximately 0.1% of its user base, a figure that could represent at least 700 customers based on previously reported user numbers. While Ultrahuman did not provide a precise count, it emphasized that sensitive information such as passwords and payment details were not compromised. The accessed dataset included contact details, order history, and for a smaller subset, some fitness-related data.
Company Response and Mitigation
In a statement, CEO Mohit Kumar affirmed that the vulnerability was closed swiftly after its detection. The company delayed notifying users until June 2 to allow for a thorough internal audit to determine the full scope of the incident. This investigation was crucial to accurately identify which users were affected and what specific categories of their data were involved.
In response to the breach, Ultrahuman has implemented several remediation measures to prevent a recurrence. These steps include strengthening access control policies across all internal systems and hardening endpoint security on employee devices with stricter controls. Additionally, the company has increased the frequency of its internal access audits and deployed new anomaly detection systems for data exports.
Impact on Users and Data Privacy
All individuals impacted by the security incident have been directly contacted by email, with each notification specifying the types of information that were visible. Ultrahuman has advised all customers to remain cautious of potential phishing attempts that may reference the company or their personal data. The company reiterated that it will never request passwords or payment details via email or SMS.
This incident underscores the significant data security responsibilities held by companies in the rapidly growing wellness technology sector. While Ultrahuman confirmed the attacker had read-only access, it did not clarify whether its investigation concluded if any customer data was actually exfiltrated. The breach raises important questions about how sensitive health metrics are stored and protected from internal and external threats.
Ultrahuman's Market Position
Ultrahuman, founded in 2019, has become a prominent competitor in the smart ring market with products like its Ring Air and Ring Pro. The India-based startup has attracted significant investment, having raised approximately $103 million to date from firms including Nexus Venture Partners and Steadview Capital. This funding has supported its growth and innovation in the competitive wearable technology landscape.
Ultrahuman is actively working to reinforce its security infrastructure and rebuild customer trust following this data breach. The company's transparent communication and swift technical response are critical steps in managing the incident's fallout. This event serves as a stark reminder for the entire health tech industry about the paramount importance of safeguarding sensitive user wellness data.