Portable health tech startup Superhuman said hackers gained unauthorized access to customer wellness data after stealing an employee’s credentials via malware.
On Wednesday, the India-based startup notified affected customers of the incident via email, stating that the breach occurred on March 27 and involved a system used for internal analytics. The company said it detected the intrusion immediately, took the affected system offline and revoked all access.
Founded in 2019, Ultrahuman sells smart rings and metabolic health trackers that allow users to track metrics like sleep, activity and recovery. The startup is best known for the Ring Air, which competes with the Oura Ring, and recently introduced the Ring Pro with upgraded sensors and battery life.
Confirming the incident, Ultrahuman told TechCrunch that attackers gained access using credentials stolen from an employee’s malware-infected laptop, resulting in access to wellness data belonging to about 0.1% of users.
Based on the company’s previously reported number of about 700,000 monthly active users, that would equate to at least 700 customers who had access to their health data. Ultrahuman did not dispute that number, but declined to disclose the exact number of customers affected. The company said no passwords, payment information, production systems or Ultrahuman Ring devices were compromised.
“Our security alert systems detected the incident within hours and we closed the vulnerability quickly,” Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch.
Kumar added that the startup was notifying regulators and had delayed notifying affected users while it investigated the full scope of the incident and determined what data had been affected.
Ultrahuman declined to share details about whether it received any communication from the hackers responsible for the incident, and did not say exactly what constitutes “wellness data.” The breach highlights how wellness startups like Ultrahuman and Oura store user data on their servers in a way that allows their employees — as well as governments and malicious hackers — to access customers’ health data.
The startup said in a frequently asked question published on its website that the threat actor gained “read-only” access to the affected system. However, the company declined to confirm whether its investigation had determined whether customer data had been compromised.
Ultrahuman’s investors include Nexus Venture Partners, Steadview Capital and Blume Ventures. The startup has raised about $103 million to date, per Tracxn.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
