Apple HealthKit and Fitbit Records of 60 Million Users Exposed
Table of Contents
- By Dawna M. Roberts
- Published: Sep 27, 2021
- Last Updated: Mar 18, 2022
This week an unsecured database belonging to GetHealth exposed wearable fitness data for more than 60 million users. A lot of it came from Apple’s HealthKit.
What Happened?
GetHealth, a New York company, calls itself a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.
According to ZDNet,
“The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.”
Cybersecurity researchers found the database online on June 30, 2021, and said it was not password protected and could easily be accessed by anyone. Researchers found more than 61 million records in the file, some of the information sensitive containing users’ names, dates of birth, weight, height, gender, and GPS logs, among other pieces of information.
Security experts examined a sample of the data (20,000 records) and found that most of the records came from Apple’s HealthKit and Fitbit. The researchers explained, “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in “America/New York,” “Europe/Dublin,” and revealed that users were located all over the world.”
Alarmingly, the research also showed that the file pinpointed where the data was stored and provided a “blueprint of how the network operates from the backend and was configured.”
How Did GetHealth Respond?
Notations within the database indicated that GetHealth was the owner of the file. Cybersecurity researcher Jeremiah Fowler alerted GetHealth as soon as he discovered the data breach. The company responded quickly and secured the file within a few hours. After that, the company’s CTO contacted Fowler to thank him and assure him that the matter was resolved.
WebsitePlanet commented,
“It is unclear how long these records were exposed or who else may have had access to the dataset. […] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.”
ZDNet reached out to GetHealth for their side of the story but the company has not yet responded with a comment.
Wearables Security Fitness
The wearable fitness market is booming. A large portion of Apple’s ecosystem is devoted to health and fitness, but all that collected data ends up somewhere, and as we have witnessed here, it’s not very secure.
Consumers may find it convenient to use wearables to track their workouts, take heart rate and oxygen levels, but they also trust that this personal medical and fitness information will be secured and protected by the companies collecting it.
It is a surprise that Apple’s health information collected from millions of devices ended up on an unsecured database with a third-party company called GetHealth. How are they connected to Apple, and why are they collecting the data? What is being used for?
These and other questions illuminate the glaring fact that users of these wearables are eager to use them but don’t really know what information is being collected, how or where it is being stored, or who is using it, or for what purpose.
Apparently, wearable security fitness has a long way to go to be compliant with various privacy and security standards across the globe. Until then, users should understand that whenever they agree to start sending health or fitness data through their device, there is a good chance it could be exposed online or sold in a data breach. Buyer beware, as they say.
