Connected medical and wellness devices increasingly act as front-ends for sensitive physiological data and, in some cases, as inputs that may influence health-related decisions. Their typical architecture, comprising embedded sensors, a companion mobile application, and cloud services, expands the attack surface beyond the device itself and makes security failures can become clinically relevant through privacy loss, data integrity issues, and reduced availability. This paper presents a reproducible black-box audit of nine commercially available connected health devices (glucometers, a blood pressure monitor, thermometers, a pulse oximeter, and wearables). We apply a structured evaluation framework derived from ETSI consumer IoT baseline requirements and conformance assessment, adapted to the connected-health context by emphasising data protection, secure onboarding, and update trust. The audit covers 31 test cases organised into eight operational vectors (network exposure, firmware/OS, update mechanisms, communications security, configuration portals, mobile app security, authentication/account security, and physical/auxiliary surface), and uses conservative evidence criteria (no exploitation, minimal reproducible indicators) to support repeatability and responsible disclosure. Across 150 applicable test outcomes, 58.0\% were favourable, 23.3\% were unfavourable, and 18.7\% were inconclusive due to limited technical transparency or insufficient artefacts. We conclude with actionable recommendations for manufacturers and procurement, focused on secure-by-design onboarding, verifiable update pipelines, and measurable privacy controls.