61 Million Health Records Related to Fitness Tracking Devices Exposed

Close up of Apple Watch. 61 million health records related to fitness tracking devices exposed.

Security researchers discovered an unsecured database with 61 million health records related to fitness tracking devices and wearables. In a limited sample, Fitbit and Apple Healtkit were the predominant source. But the data breach also affected other applications and wearables.

Extremely Valuable Information

A fitness tracker can improve your health and help you stay fit. In the process, however, it gathers extremely valuable information about your routine and body. When paired with data gathered from your online activities, this can be a gold mine for third parties, including cybercriminals.

Security researcher Jeremiah Fowler found a non-password protected database with millions of health-related records belonging to users from around the world.

“The most disturbing part of the discovery was that many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender, geolocation, and more. This information was in plain text while there was an ID that appeared to be encrypted”, revealed Jeremiah Fowler.

Some Top Wearables the Source

The research dissected a limited sample of around 20,000 records. In this sample, the majority of the exposed records originated from Apple HealthKit, with 17,764 instances. FitBit, which was purchased by Google in January this year for $2.1 billion, appeared 2,766 times. .

However, the data breach also affected other wearables and applications. Upon further investigation, the researchers noted that there were numerous references to GetHealth. This “health and wellness data unification solution provider” used to be headquartered in Dublin, Ireland, and had or has an office in New York (we’ve been unable to verify this).

According to GetHealth’s API description the application allows users to integrate data from Dailymile, Fatsecret, Fitbit, Google Fit, Jawbone, Lifefitness, MapMyFitness, MapMyRun, MapMyWalk, Microsoft Health, Misfit, Moves, PredicctBGL, Runkeeper, Strava, Sony Lifelog, Withings, and 23andMe. It can also sync data from medical devices.

Database Secured

Jeremiah Fowler confirmed that, upon discovery, they immediately notified GetHealth, who secured the system within hours. “We are not implying any wrongdoing by Gethealth, their customers or partners. Nor are we implying that any customer or user data was at risk”, said Jeremiah Fowler.

Nonetheless, it remains unclear how long the records were exposed or if they had already made their way to the dark web. “According to a report conducted by Trustwave, healthcare data can sell for up to $250 per record on the black market or dark web. That is a considerable sum compared to credit card records that are valued at an estimated $5.40.”

While most users may think that cybercriminals are not interested in the number of steps they take or how long they sleep, some data – especially combined with geolocation – could be useful to expose patterns. Subsequently, cybercriminals may carry out other types of attacks or commit fraud or extortion.

Good cyber hygiene for anyone who uses wearables and fitness trackers includes:

Lack of Regulation

Remarkably, there’s still a lack of regulation when it comes to fitness trackers and wearables. All medical devices have to reach certain standards of safety, quality, security and efficiency. But so far, there are no clear regulations that apply to trackers and wearables, as long as the data is for personal use.

The main question is whether a fitness tracker or wearable can be classed as a medical device. “Once the data from a wearable technology is passed to a healthcare provider or other institution it may then be subjected to HIPAA regulations and HIPAA compliance standards”, explains Jeremiah Fowler.

Wearable devices have the capability of collecting sensitive health-related information, but worldwide the regulations seem to be far behind. Currently, there’s only a limited number of regulatory requirements, like a UL, FCC or CE marking and GDPR or CCPA compliance. However, these are not as stringent as for medical devices.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.