The startup Ultrahuman reveals a health data leak that occurred on March 27, 2026. Hackers exploited an employee’s credentials to access an internal database.
An infected laptop as an entry point
It was through a classic but effective vector that attackers managed to penetrate Ultrahuman’s systems. An employee of the Indian startup was using a laptop compromised by malware designed to steal login credentials. This data allowed the intruders to access an internal analysis tool, thus exposing well-being information belonging to a portion of the platform’s users. The incident occurred on March 27, 2026, more than two months before the company publicly informed its users.
The company states that it detected the intrusion quickly and immediately took the affected system offline, while revoking all access. « Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly, » said Mohit Kumar, founder and CEO of Ultrahuman, in a statement to TechCrunch.
What the hackers could view
According to the official page published by Ultrahuman on its website, attackers gained « read-only » access to the compromised system. Specifically, potentially exposed information includes account data, contact details, and transaction history. Passwords, bank card data, and payment information were not affected, nor were the production systems and the Ultrahuman Ring devices themselves.
« On March 27, 2026, we had a security incident, but the most important facts first: no passwords, card details, or payment data were involved, and we have found no evidence of misuse, » Kumar said in an email sent to affected users.
The CEO described the exposure as akin to a lost order receipt found on the street: identification and contact information visible, but nothing financially sensitive. The company specifies that it has strengthened its internal control policies and endpoint security on employee devices following the incident.
The scale of the incident and remaining questions
According to figures released by Ultrahuman, approximately 0.1% of its users were affected. The startup had around 700,000 monthly active users in March 2026, bringing the number of people concerned to at least 700 individuals. The company did not dispute this calculation but declined to disclose a precise figure.
Significant questions remain. Ultrahuman has not indicated whether biometric data was actually exfiltrated or merely viewed, nor if the attackers had contacted the company. The startup has also not clarified exactly what « well-being data » encompasses in this specific context, making it difficult to assess the real risk for affected users. The company acknowledged that it delayed notifying users while it audited the exact scope of the incident and identified the specific data concerned. Relevant regulators have been notified as part of this process.
The alert email sent to users encourages them to remain vigilant against phishing attempts, a standard precaution after such incidents, as exposed contact data could be used for targeted phishing campaigns.
A structural issue for the entire sector
This incident goes beyond Ultrahuman’s specific case and illustrates an inherent vulnerability in the health wearables market. Manufacturers of connected rings and watches, from Oura to Samsung and Fitbit, by definition centralize highly personal biometric data on their servers: sleep data, heart rate, heart rate variability, skin temperature, menstrual cycle tracking. This centralization means that unauthorized access, whether from an employee, a government, or a malicious group, always remains technically possible.
Founded in 2019 in Bengaluru, Ultrahuman has gradually established itself in this competitive market with its Ring Air, a direct competitor to the Oura Ring, and more recently with the Ring Pro, featuring improved sensors and better battery life. The startup has raised approximately $103 million to date, with support from investors such as Nexus Venture Partners, Steadview Capital, and Blume Ventures. The company claims a privacy-focused approach, a stance put to the test by this incident. It is worth noting that both Ultrahuman and Oura were previously involved in a patent infringement case in 2024 before the U.S. International Trade Commission, a dispute that highlighted some questionable business practices by the Indian startup.
User trust in connected health platforms depends on these companies’ ability to protect some of the most intimate data imaginable. This incident serves as a reminder that an internal analysis tool, often considered peripheral in a company’s security architecture, can be a sufficient entry point to expose personal information on a large scale. Affected Ultrahuman users should remain vigilant for potential fraudulent contact attempts in the coming weeks and consult the official information page published by the company for details concerning their data.