Notice of a security incident — March 2026
Wearable healthtech startup Ultrahuman has said it suffered a cyberattack after hackers gained unauthorised access to users’ wellness data. While the security breach occurred on March 27, the company informed affected users of the incident on June 2, more than two months later.
Ultrahuman said hackers gained “read-only” access to users’ contact details, transaction history and “some fitness-related data” related to product usage and purchases. However, it did not say whether hackers downloaded or copied any customer data to external systems.
“The access was constrained in scope by the system’s design, which did not permit modification or deletion of data. We identified the incident promptly, took the affected system offline, and revoked all access,” the company said in a statement.
How did it happen? As per a TechCrunch report, hackers gained access to the company’s internal analytics system after stealing login credentials from an employee’s malware-infected laptop. Ultrahuman CEO Mohit Kumar told TechCrunch in a statement that the wellness data of 0.1% of its users was accessible after the breach. However, the company said no passwords, payment or credit card information was accessible or affected by this incident.
Who was affected? Ultrahuman did not share the exact number of affected users. In the past, it said it had 700,000 monthly active users, meaning at least 700 users had their health data accessed. The company said the investigation is still ongoing and that it has informed relevant regulatory authorities under applicable data protection law.
Why the 2-month delay? Ultrahuman’s CEO claimed that the company’s security systems flagged the incident within hours. So why were the affected users informed over two months after the breach occurred? Kumar reportedly said the startup delayed notifying users as it needed to audit “the full scope of the incident and determine what data had been affected”.
- Under Section 70B of the Information Technology Act, 2000, any service provider, intermediary, data centre, or corporate or government organisation must report a cyber incident to CERT-In, the cyber wing of the IT ministry, within six hours of becoming aware of it. It is unclear whether Ultrahuman reported the incident to CERT-In within that six-hour window.
- Further, India’s Digital Personal Data Protection (DPDP) Rules, 2025, mandate that a Data Fiduciary inform users of a personal data breach “without delay”. It must also share a detailed report of the breach with the Data Protection Board within 72 hours of becoming aware of it, including measures implemented to mitigate risk, any findings regarding the person who caused the breach, and remedial measures taken to prevent such breaches from recurring. The company is most likely to have bypassed this legal requirement as the Data Protection Board is still not functional.
What happens when someone exposes your smart ring data? Ultrahuman sells smart rings and metabolic health-tracking devices that allow users to monitor sleep, activity, glucose levels, ovulation phases and more. The company stated that attackers accessed affected users’ “fitness” data, but withheld exact details about what the dataset included. Wearable health data can reveal the user’s sleep patterns, location data, and app- and dashboard-linked account credentials.
- Hackers who compromise a wearable platform, apps, or connected services could sell the user’s data on the dark web, use it to impersonate the user, and leverage it in targeted phishing or health-related scams. And because this data is more personal and specific, it can feel more convincing than generic scams.
Here’s how such scenarios would play out in the real-world:
Is India’s data protection law sufficient to protect users’ health data? The DPDP Rules, 2025, notified in November last year, do not specifically mention how the law protects users’ health data. Similarly, the DPDP Rules say that companies must have a requirement in place in their contracts with data processors (entities that process data on a company’s behalf) that the processors will implement ‘reasonable security standards’ during their processing activities. However, it does not clearly define these security standards.
- Speaking to MediaNama earlier, Shivangi Rai, the Deputy Coordinator of C-HELP, raised concerns about the ambiguity of terms such as “appropriate technological and organizational measures” and “appropriate security measures” used in DPDP Rules. She opined that the Rules should have mandated that data fiduciaries and significant data fiduciaries not just implement security measures but demonstrate that they carry out data processing in conformity with security standards and the law.
- “The rules should have made it mandatory to periodically review and update the measures,” Rai explained, adding that there is a need for measurable benchmarks to judge the “appropriateness” of the measures. Further, she mentioned that audits and DPIA requirements should apply to all data fiduciaries, not just significant ones.
- The overarching Act also governs data security, in addition to the rules. Based on the volume and nature of personal data processed, the central government can notify certain data fiduciaries or classes of data fiduciaries (including startups) that it will exempt from certain requirements, such as erasing the personal data of an individual after they withdraw consent for its processing, unless required to retain said data under law. “The fact that startups may be exempted from adopting any data protection and security measures under the Act is also problematic,” Rai said.
Cybersecurity incidents on the rise in India: The Ultrahuman data breach highlights how health-tracking companies like Ultrahuman store users’ data in ways that make it easily accessible not just to their employees but also to governments and threat actors. It comes less than two years after a hacker used Telegram chatbots to leak data, including medical reports of millions of users, from insurance firm Star Health. As per Reuters, which first reported the Star Health data breach, policy and claims documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses of nearly 31 million users were up for sale on Telegram.
More recently, a Bengaluru-based cybersecurity researcher publicly exposed security vulnerabilities in CBSE’s On-Screen Marking portal and hacked into two of its domains after authorities denied that any vulnerabilities existed.
Questions sent to Ultrahuman
1) How many users were affected due to the data breach? While the incident occurred on March 27, Ultrahuman informed affected users of the breach on June 2. What was the reason for the delay in notifying users? The company says the wellness data of some users had become accessible to hackers. Please share details on exactly what is counted as “wellness” data here?
2) The startup says hackers gained “read-only” access to users’ data, and an investigation is underway. Have you determined whether any customer data was downloaded or copied to an external system?
3) Ultrahuman says it has informed relevant regulatory authorities of the incident under applicable data protection law. Please disclose the names of the regulators you’ve informed so far in connection with the breach.
4) Under Section 70B of the IT Act, 2000, companies are required to report cybersecurity incidents to CERT-In within six hours of noticing any breach. Did Ultrahuman report the incident to CERT-In within the six-hour window?
The article will be updated if and when we receive a response from Ultrahuman.
