Ultrahuman Breach Exposed Customer Wellness Data Through Stolen Employee Credentials
Ultrahuman disclosed that attackers accessed customer wellness data after using credentials stolen from an employee whose laptop was infected with malware. The intrusion targeted an internal analytics system on March 27, and the company said it detected the activity within hours, took the affected system offline, and revoked access. Ultrahuman said the attackers had read-only access and that passwords, payment information, production systems, and Ultrahuman Ring devices were not compromised.
The company said about 0.1% of users were affected, which based on its previously reported user base could amount to at least 700 customers. Ultrahuman has begun notifying impacted users and regulators after completing an audit of the incident’s scope, but it has not confirmed whether any data was exfiltrated or specified exactly which wellness data was accessed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Ultrahuman begins notifying impacted customers
Ultrahuman notified impacted customers on Wednesday after delaying notice until it had completed an audit of the incident's scope. The company also said it had begun notifying regulators.
Ultrahuman detects breach and takes affected system offline
Ultrahuman said it detected the incident within hours of the March 27 breach. The company revoked access and took the affected internal system offline as part of its response.
Attackers access Ultrahuman analytics system using stolen employee credentials
On March 27, attackers used credentials stolen from an employee's malware-infected laptop to access Ultrahuman's internal analytics system containing customer wellness data. Ultrahuman said the access was read-only and affected about 0.1% of users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Under Armour Investigates Everest Ransomware Data Leak Affecting 72M Customers
Under Armour said it is investigating claims that an unauthorized party obtained customer data after a dataset tied to the company was posted to a hacker forum and subsequently ingested by breach-notification services. **Have I Been Pwned** reported obtaining a copy of the data and notifying roughly **72 million** individuals; the exposed information reportedly includes names, email addresses, gender, date of birth, approximate location (postcode/ZIP-derived), and purchase-related data, and also contains numerous Under Armour employee email addresses. Under Armour stated there is currently **no evidence** the incident affected *UA.com* or systems used to process payments or store customer passwords, while noting that the portion of customers with “sensitive” information impacted is believed to be small. Multiple reports tie the leak to a **November 2025** intrusion claimed by the **Everest** ransomware group, which alleged Under Armour failed to meet a negotiation deadline and that the data was then published and redistributed across forums and leak sites. One account describes the theft as involving **343 GB** of company data and indicates the forum-posted dataset includes **72 million email addresses** plus additional PII and purchase information; another report cites a much larger dataset claim (over **191 million records** with ~**72.7 million** unique email addresses) and notes a US class action lawsuit alleging negligence and large-scale exfiltration, including potential employee data. Reporting also reiterates Everest’s typical tradecraft, including credential-based access and use of remote access tooling (e.g., *AnyDesk*, *Splashtop*), though Under Armour has not publicly confirmed the intrusion vector or the full scope of data exfiltration.
Mar 21, 2026
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
Mar 21, 2026