A lot of people get wearable devices like smartwatches and rings to track and monitor several health markers like sleep, heart rate, and even recovery. But some people never really question where all this health data eventually goes or how it is stored once they take it off. Imagine that kind of data in the wrong hands.
Well, you don't have to imagine this scenario anymore, as it is already happening. On Wednesday, Indian wellness startup Ultrahuman, which makes smart rings that compete with the likes of the Oura ring, disclosed that it suffered a data breach.
Hackers accessed an internal analytics system on March 27 by stealing an employee's login credentials through malware. The company says about 0.1% of its users were affected. Based on its reported 700,000 monthly active users, that's at least 700 people, even though Ultrahuman never disclosed the actual numbers.
According to the company, the hackers only had "read-only" access to the breached data, meaning they could only see the data and couldn't change or delete anything.
In a notice reported by The Times of India, the company says, "The information visible to the unauthorised individual varied by account. The dataset that was accessed contained, depending on the user, contact and account details, order and transaction history, and for a smaller group of users, some fitness-related data associated with their product usage and purchases."
The company also said there was no breach of passwords, payment information, or production systems. Ultrahuman says the rings themselves weren't compromised.
The breach was discovered within hours. "Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly," CEO Mohit Kumar told TechCrunch.
What isn't clear is what exactly Ultrahuman never fully explained what “fitness-related data associated with their product usage and purchases” actually means in this context. Heart rate data, sleep patterns, recovery scores?
Loy Okezie
The company also declined to confirm whether any data was copied or stolen, or merely viewed. “Read-only access” still means a hacker could potentially see everything inside that system; whether they downloaded it is another matter entirely.
This is one of the first major incidents involving a wellness wearable company, and it highlights why breaches involving companies like Ultrahuman and Oura should be taken seriously. These devices store deeply personal health and lifestyle information on company servers, and if exposed, that data could end up in the hands of unauthorised individuals. That creates a significant privacy risk.
Ultrahuman says it has since strengthened access controls, hardened endpoint security on all employee devices, and deployed export-volume anomaly detection. The company is also notifying regulators.
If you received an email from security-2026@ultrahuman.com, your account was part of the affected dataset. The email lists exactly what information was visible for your account. Ultrahuman advises users to watch out for phishing attempts. The company says it will never ask for your password or payment details by email or SMS.
This incident should serve as a warning to wearable wellness companies to ensure that breaches like this don't happen, especially in an age where cyberattacks are becoming more prominent.
Louis Eriakha
