Ultrahuman says hackers gained access to customer health data via an internal tool

Wearable health technology startup Ultrahuman said hackers gained unauthorized access to customer health data after employee credentials were stolen through malware.

On Wednesday, the India-based startup notified affected customers of the incident via email, noting that the hack occurred on March 27 and involved a system used for internal analytics. The company said it immediately discovered the breach, stopped the affected system from working, and revoked all access to it.

Founded in 2019, Ultrahuman sells smart rings and metabolic health trackers that enable users to monitor metrics like sleep, activity, and recovery. The startup is best known for its Ring Air product, which competes with the Oura Ring, and recently introduced the Ring Pro with upgraded sensors and battery life.

Confirming the incident, Ultrahuman told TechCrunch that attackers gained access using credentials stolen from an employee’s malware-infected laptop, resulting in access to health data belonging to about 0.1% of users.

Based on the company’s previously announced figure of about 700,000 monthly active users, that equates to at least 700 customers whose health data was accessed. Ultrahuman did not dispute this number, but declined to reveal the exact number of affected customers. No passwords, payment information, production systems or Ultrahuman Ring devices were compromised, the company said.

“Our security alert systems detected the incident within hours, and we quickly closed the vulnerability,” Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch.

Kumar added that the startup was notifying regulators and delayed informing affected users while it reviewed the full scope of the incident and determined what data was affected.

Ultrahuman declined to share any details about whether it has received any contact from the hackers responsible for the incident, and did not say what exactly constitutes “wellness data.” The hack highlights how wellness tracking startups, such as Ultrahuman and also Oura, store user data on their servers in a way that allows their employees – as well as governments and malicious hackers – to access customers’ health data.

The threat actor gained “read-only” access to the affected system, the startup said in an FAQ posted on its website. However, the company declined to confirm whether its investigation had determined whether any customer data had been leaked.

Ultrahuman counts Nexus Venture Partners, Steadview Capital and Blume Ventures among its investors. The startup has raised about $103 million so far, according to Tracxn.