Security researchers discovered an unsecured database with 61 million health records related to fitness tracking devices and wearables. In a limited sample, Fitbit and Apple Healtkit were the predominant source. But the data breach also affected other applications and wearables.
Extremely Valuable Information
A fitness tracker can improve your health and help you stay fit. In the process, however, it gathers extremely valuable information about your routine and body. When paired with data gathered from your online activities, this can be a gold mine for third parties, including cybercriminals.
Security researcher Jeremiah Fowler found a non-password protected database with millions of health-related records belonging to users from around the world.
“The most disturbing part of the discovery was that many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender, geolocation, and more. This information was in plain text while there was an ID that appeared to be encrypted”, revealed Jeremiah Fowler.
Some Top Wearables the Source
The research dissected a limited sample of around 20,000 records. In this sample, the majority of the exposed records originated from Apple HealthKit, with 17,764 instances. FitBit, which was purchased by Google in January this year for $2.1 billion, appeared 2,766 times. .
However, the data breach also affected other wearables and applications. Upon further investigation, the researchers noted that there were numerous references to GetHealth. This “health and wellness data unification solution provider” used to be headquartered in Dublin, Ireland, and had or has an office in New York (we’ve been unable to verify this).
According to GetHealth’s API description the application allows users to integrate data from Dailymile, Fatsecret, Fitbit, Google Fit, Jawbone, Lifefitness, MapMyFitness, MapMyRun, MapMyWalk, Microsoft Health, Misfit, Moves, PredicctBGL, Runkeeper, Strava, Sony Lifelog, Withings, and 23andMe. It can also sync data from medical devices.
Jeremiah Fowler confirmed that, upon discovery, they immediately notified GetHealth, who secured the system within hours. “We are not implying any wrongdoing by Gethealth, their customers or partners. Nor are we implying that any customer or user data was at risk”, said Jeremiah Fowler.
Nonetheless, it remains unclear how long the records were exposed or if they had already made their way to the dark web. “According to a report conducted by Trustwave, healthcare data can sell for up to $250 per record on the black market or dark web. That is a considerable sum compared to credit card records that are valued at an estimated $5.40.”
While most users may think that cybercriminals are not interested in the number of steps they take or how long they sleep, some data – especially combined with geolocation – could be useful to expose patterns. Subsequently, cybercriminals may carry out other types of attacks or commit fraud or extortion.
Good cyber hygiene for anyone who uses wearables and fitness trackers includes:
- Being on the lookout for phishing emails.
- Enabling two-factor authentication.
- Minimizing the amount of personal information provided when signing up for such accounts.
- Always tightening privacy settings.
Lack of Regulation
Remarkably, there’s still a lack of regulation when it comes to fitness trackers and wearables. All medical devices have to reach certain standards of safety, quality, security and efficiency. But so far, there are no clear regulations that apply to trackers and wearables, as long as the data is for personal use.
The main question is whether a fitness tracker or wearable can be classed as a medical device. “Once the data from a wearable technology is passed to a healthcare provider or other institution it may then be subjected to HIPAA regulations and HIPAA compliance standards”, explains Jeremiah Fowler.
Wearable devices have the capability of collecting sensitive health-related information, but worldwide the regulations seem to be far behind. Currently, there’s only a limited number of regulatory requirements, like a UL, FCC or CE marking and GDPR or CCPA compliance. However, these are not as stringent as for medical devices.