Apple HealthKit and Fitbit Records of 60 Million Users Exposed

  • By Dawna M. Roberts
  • Published: Sep 27, 2021
  • Last Updated: Mar 18, 2022

This week an unsecured database belonging to GetHealth exposed wearable fitness data for more than 60 million users. A lot of it came from Apple’s HealthKit.

What Happened?

GetHealth, a New York company, calls itself a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.

According to ZDNet,

“The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.”

 

Cybersecurity researchers found the database online on June 30, 2021, and said it was not password protected and could easily be accessed by anyone. Researchers found more than 61 million records in the file, some of the information sensitive containing users’ names, dates of birth, weight, height, gender, and GPS logs, among other pieces of information.

Security experts examined a sample of the data (20,000 records) and found that most of the records came from Apple’s HealthKit and Fitbit. The researchers explained, “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in “America/New York,” “Europe/Dublin,” and revealed that users were located all over the world.”

Alarmingly, the research also showed that the file pinpointed where the data was stored and provided a “blueprint of how the network operates from the backend and was configured.”

How Did GetHealth Respond?

Notations within the database indicated that GetHealth was the owner of the file. Cybersecurity researcher Jeremiah Fowler alerted GetHealth as soon as he discovered the data breach. The company responded quickly and secured the file within a few hours. After that, the company’s CTO contacted Fowler to thank him and assure him that the matter was resolved.

Data Breach in Apple's HealthKit

WebsitePlanet commented,

“It is unclear how long these records were exposed or who else may have had access to the dataset. […] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.”

 

ZDNet reached out to GetHealth for their side of the story but the company has not yet responded with a comment.

Wearables Security Fitness

The wearable fitness market is booming. A large portion of Apple’s ecosystem is devoted to health and fitness, but all that collected data ends up somewhere, and as we have witnessed here, it’s not very secure. 

Consumers may find it convenient to use wearables to track their workouts, take heart rate and oxygen levels, but they also trust that this personal medical and fitness information will be secured and protected by the companies collecting it. 

It is a surprise that Apple’s health information collected from millions of devices ended up on an unsecured database with a third-party company called GetHealth. How are they connected to Apple, and why are they collecting the data? What is being used for?

These and other questions illuminate the glaring fact that users of these wearables are eager to use them but don’t really know what information is being collected, how or where it is being stored, or who is using it, or for what purpose.

Apparently, wearable security fitness has a long way to go to be compliant with various privacy and security standards across the globe. Until then, users should understand that whenever they agree to start sending health or fitness data through their device, there is a good chance it could be exposed online or sold in a data breach. Buyer beware, as they say.

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unknown c ... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Latest Articles

What You Need to Know about the Coast Guard Data Breach

What You Need to Know about the Coast Guard Data Breach

The Coast Guard is the only branch of the United States military in the Department of Homeland Security. It enforces federal law, controls the nation's borders and maritime Approaches, and protects the United States ports and waterways.

Mars Hydro Security Flaw Puts IoT Users at Risk

Mars Hydro Security Flaw Puts IoT Users at Risk

Mars Hydro is a leading Chinese brand producing a wide range of Internet of Things (IoT) devices for indoor gardening and the hydroponics industry.

What You Need to Know about the Community Health Center Data Breach

What You Need to Know about the Community Health Center Data Breach

Community Health Center (CHC) is a non-profit founded in 1972 and headquartered in Middletown, Connecticut. It offers a broad range of services, including dentistry, primary care, urgent care, specialty medical services, and behavioral health.

What You Need to Know about the DeepSeek Data Breach

What You Need to Know about the DeepSeek Data Breach

DeepSeek, founded by Liang Wenfeng, is an AI development firm located in Hangzhou, China. The company focuses on developing open source Large Language Models (LLMs) and specializes in data analytics and machine learning.

What is vendor fraud and how to protect your business from vendor fraud

What is vendor fraud and how to protect your business from vendor fraud

Vendor fraud is a type of financial abuse that occurs when fraudsters pose as legitimate businesses to trick companies and individuals into paying for services they'll never receive.

What is Automated Clearing House (ACH) Fraud and How Does it Work?

What is Automated Clearing House (ACH) Fraud and How Does it Work?

Dashboard Http: Content.infopay. net Admin Idstrong Articles Create Create Article Title Slug Subdomain (Optional) Page Status Categories CreditData BreachesData PrivacyFeatured ArticlesIdentity TheftMultiple BreachesNewsPublic RecordsScamsSecurity TipsStatisticsVideos Tags Add a tag Published Date Author Editor Show author info box Show editor info box Content

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close