Ultrahuman exposed wellness data for 0.1% of its users, totaling around 700 individuals. The healthtech startup waited over two months to inform affected users after hackers gained access via an employee's laptop. The incident raises questions about data fiduciary responsibilities, especially with sensitive biometric insights.
How We Got Here
The breach occurred on March 27, but Ultrahuman only notified affected users on June 2. Ultrahuman CEO Mohit Kumar attributed the delay to needing time to audit the full scope of exposed data.
The Numbers
- Hackers accessed read-only user contact details, transaction history, and "some fitness-related data" related to product usage.
- No passwords, payment, or credit card information was compromised in the breach.
- The attack leveraged stolen login credentials from an employee's malware-infected laptop, targeting an internal analytics system.
- India's IT Act, 2000, Section 70B mandates reporting cyber incidents to CERT-In within six hours of discovery.
- The upcoming DPDP Rules, 2025, require informing users "without delay" and the Data Protection Board within 72 hours.
What Happens Next
🇮🇳 Why This Matters for India
For healthtech founders in Bengaluru and Hyderabad, this breach spotlights the critical need for robust internal security, as employee devices remain prime attack vectors.
The Take
Ultrahuman's 67-day disclosure lag sets a concerning precedent for Indian healthtech, especially when biometric data is involved. New DPDPA rules, once active, will make such delays legally untenable, turning this into a costly lesson.
Source:
MediaNama ↗