Notice of a security incident — March 2026
Wearable healthtech startup Ultrahuman has said it suffered a cyberattack after hackers gained unauthorised access to users’ wellness data. While the security breach occurred on March 27, the company informed affected users of the incident on June 2, more than two months later.
Ultrahuman said hackers gained “read-only” access to users’ contact details, transaction history and “some fitness-related data” related to product usage and purchases. However, it did not say whether hackers downloaded or copied any customer data to external systems.
“The access was constrained in scope by the system’s design, which did not permit modification or deletion of data. We identified the incident promptly, took the affected system offline, and revoked all access,” the company said in a statement.
How did it happen? As per a TechCrunch report, hackers gained access to the company’s internal analytics system after stealing login credentials from an employee’s malware-infected laptop. Ultrahuman CEO Mohit Kumar told TechCrunch in a statement that the wellness data of 0.1% of its users was accessible after the breach. However, the company said no passwords, payment or credit card information was accessible or affected by this incident.
Who was affected? Ultrahuman did not share the exact number of affected users. In the past, it said it had 700,000 monthly active users, meaning at least 700 users had their health data accessed. The company said the investigation is still ongoing and that it has informed relevant regulatory authorities under applicable data protection law.
Why the 2-month delay? Ultrahuman’s CEO claimed that the company’s security systems flagged the incident within hours. So why were the affected users informed over two months after the breach occurred? Kumar reportedly said the startup delayed notifying users as it needed to audit “the full scope of the incident and determine what data had been affected”.
- Under Section 70B of the Information Technology Act, 2000, any service provider, intermediary, data centre, or corporate or government organisation must report a cyber incident to CERT-In, the cyber wing of the IT ministry, within six hours of becoming aware of it. It is unclear whether Ultrahuman reported the incident to CERT-In within that six-hour window.
- Further, India’s Digital Personal Data Protection (DPDP) Rules, 2025, mandate that a Data Fiduciary inform users of a personal data breach “without delay”. It must also share a detailed report of the breach with the Data Protection Board within 72 hours of becoming aware of it, including measures implemented to mitigate risk, any findings regarding the person who caused the breach, and remedial measures taken to prevent such breaches from recurring. The company is most likely to have bypassed this legal requirement as the Data Protection Board is still not functional.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
