The WebsitePlanet research team, working with security researcher Jeremiah Fowler, discovered an unprotected password database containing more than 61 million records belonging to users around the world. A large number of the exposed records were related to IoT health and fitness tracking devices. Upon further investigation, there were multiple references to "GetHealth," a New York City-based company that provides a unified solution for accessing health and wellness data from hundreds of wearables, medical devices, and apps. I immediately sent a responsible disclosure notice regarding my discovery and received a response the next day thanking me for the notice and confirming that the disclosed data was protected.
The most disturbing part of the discovery is that many of the records contain user data, including first and last name, display name, date of birth, weight, height, gender, geographic location, and more. The information was in plain text, and one of the IDs appeared to be encrypted; the geographic locations were structured in the same way as "U.S./New York" and "Europe/Dublin," and the users were distributed around the world.
In a limited sample of 20k+ records, some of the top wearable health and fitness trackers appear to be a "source". fitbit (acquired by Google for $2.1 billion in 2021) appears 2,766 times, which appears to be Apple's Healthkit 17764. other apps or devices may also be affected. devices may also be affected. According to GetHealth's website, they can sync the following data: 23andMe, DailyMile, FatSecret, Fitbit, GoogleFit, JawboneUP, LifeFitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, MovesApp, PredictBGL, Runkeeper, SonyLifelog, Strava, VitaDock, Withings, AppleHealthKit, AndroidSensor, sHealth.
AppleHealthkit can collect more sophisticated metrics, including blood pressure, weight, sleep levels, blood sugar and more. Once an iPhone user gives permission to use Apple's health and fitness app, it uses sensors in the phone, connected wearables and smart devices to collect more health data than many other devices or apps. This operation can run silently in the background and on any iPhone to which the user grants permission.
Here are the details of the findings:
Total Size: 16.71GB/Total Records: 61053956 Exposure Index: deviceapi_FitnessDeviceAPI_heartratedeviceapi_profiledeviceapi_ PulseOxdeviceapi_sleepdeviceapi_trackerdeviceapi_Weight
Internal records that expose the following: deviceapi_profile, type, id, score, source, source, id, weight, e_id, time acquired, height,,, birthday, gethealthID, first name, last name, display name, url, gender, organization id, timezone. This information can be used in targeted phishing attacks or to obtain other health information about the user. The document also shows where the data is stored and a blueprint of how the network is run and configured from the back end.
Example of how user data can appear in a database:
Example of a profile account:
Fitness trackers pose privacy risks
Fitness trackers are designed to understand and improve our health by providing key information that may indicate health risks. In collecting information from users, the devices must be able to access very private information about our lives, our health, and more.
According to a report by the Pew Research Center, an estimated 20 percent of U.S. adults own some type of wearable device or fitness tracker. These devices will generate a large number of health-related data points over the years and create long-term privacy risks.
Many of these devices are not anonymous and are tied to users' accounts, encouraging them to enter personally identifiable information in their profiles. This makes it extremely easy to identify who the data belongs to in the event of a data breach. Another issue is that there are no uniform privacy standards for wearables, and it's possible for companies to use this data for advertising, marketing, or sharing it with third parties***. Another issue to consider is how companies will provide users with an "end-of-use policy" and how long the data will be stored. What is a medical device
Wearables present complex issues
There is some debate about how wearable and fitness trackers or IoT wearables should be considered medical devices. The lines between apps with medical uses are becoming increasingly blurred. In recent years, regulators in the U.K., the U.S. and the European Union have attempted to define what constitutes a medical device and how it should be regulated. This information is valuable to medical research and the health and wellness industry.
The U.S. Food and Drug Administration designated FitBit as a software for over-the-counter use and a Class II medical device.On Sept. 14, 2020, Fitbit received FDA clearance and CE mark approval for its electrocardiogram feature for tracking arrhythmias.Fitbit's device currently collects data from about 29 million users worldwide, and Google claims that Fitbit users' health data will not be used for Google advertising. In many other areas, the technology exceeds laws and regulations at the expense of user privacy.
According to Gethealth. io's website and FAQ the process is HIPAA-compliant, stating that "user data is secure via SSL transmission, AES256 encryption, logging, and monitoring, and all data is stored and managed in a HIPAA-compliant manner"
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law designed to protect sensitive patient health information from disclosure with or without the consent or knowledge of the patient. There are no explicit HIPAA regulations that apply to wearable technology, as long as the data is used for personal use. However, once data from wearable technology is passed to a healthcare provider or other organization, it may be subject to HIPAA regulations and HIPAA compliance standards. Wearables and smartphones have the technology to collect patient-generated health data (PGHD) that could expose sensitive health data, but regulation seems far behind.
Most wearable users believe that no cybercriminals are interested in how many steps they take or how long they sleep, but it's wrong to ignore the way data is used or ****enjoyed. All data is valuable, and as wearable device technology has evolved, so has the type and accuracy of data collected on users. A simple step counter or pedometer is relatively harmless, while some wearables can recognize more detailed information such as heart rate or body mass index. In theory, the detailed information collected by fitness trackers on millions of users could provide a general picture of these individuals and their overall health. The data could then be used to carry out other attacks, fraud, extortion, or to obtain more targeted health information.
Collecting and storing health data is risky
All of the information collected must be stored somewhere, which creates vulnerabilities and potential data exposure points. The healthcare industry needs data management platforms to collect and filter the vast amounts of data they collect. The global health management market is expected to grow to $46.7 billion by 2026. As the healthcare technology industry grows, so does the amount of data collected and stored.
Health data from wearable devices is a treasure trove of information that will undoubtedly be targeted by cybercrime. The health industry is known to suffer more data breaches than any other industry. According to a report by Trustwave, healthcare data can sell for up to $250 per record on the black market or dark web. That's a sizable amount compared to credit card records, which are valued at about $5.40.
It's unclear how long the records were exposed or who else had access to the data set. As security researchers, we never extract or download the data we find, and only take a limited number of screenshots for verification. We are not implying any wrongdoing on the part of Gethealth, its clients or partners. Nor are we implying that any customer or user data is at risk. Until the database is closed to public access, we will not be able to determine the exact number of individuals affected. We are simply highlighting our findings to raise awareness of the dangers and cybersecurity vulnerabilities posed by the Internet of Things, wearables, fitness and health trackers, and how this data is stored. We recommend that any company or organization encrypt sensitive data, put cyber hygiene measures in place, and conduct frequent penetration tests.