Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records

An unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users' data online.

Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered a non-password-protected database that contained tens of millions of records belonging to fitness tracking and wearable devices and apps. The unsecured database belonged to GetHealth, which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, according to a WebsitePlanet report posted Monday.

The cybersecurity team discovered the unsecured database June 30, ZDNet reported.

Fowler said he immediately sent a disclosure notice to the company of the security findings. GetHealth responded rapidly, and the system was secured within a matter of hours, ZDNet reported.

Many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender and geolocation. A limited sampling of 20,000 records uncovered the majority of the exposed records were from Fitbit devices and Apple Healthkit. According to GetHealth’s website, the company can sync health-related data from sources including 23andMe, Fitbit, Google Fit, Jawbone UP, Microsoft, Sony Lifelog, Withings, Apple HealthKit and Android Sensor.

"It is unclear how long these records were exposed or who else may have had access to the dataset," Fowler wrote in the report.

RELATED: Mobile health apps leak sensitive data through APIs, report finds

"We are not implying any wrongdoing by GetHealth, their customers or partners. Nor, are we implying that any customer or user data was at risk," he wrote.

The report findings should help raise awareness of the dangers and cybersecurity vulnerabilities posed by the Internet of Things, wearable devices, fitness and health trackers and how those data are stored, Fowler wrote.

The researchers recommend companies and organizations encrypt sensitive data, enact cyber hygiene practices and conduct penetration testing often.

“Misconfigurations, such as a database without a password, allow attackers easy access to your systems or data. It’s the equivalent of leaving your door unlocked or window open," Tim Erlin, vice president of strategy at cybersecurity company Tripwire, told Fierce Healthcare.

"All organization should regularly audit their systems for misconfigurations, especially those systems that are accessible to the Internet. Even if you’ve deployed systems with a secure configuration to start, a simple change can give attackers access," he said.

There are currently no clear HIPAA (Health Insurance Portability and Accountability Act) regulations that apply to wearable technology as long as the data are used for personal use. However, once the data from a wearable device or fitness tracker are passed to a healthcare provider or other institution, they may then be subjected to HIPAA regulations and HIPAA compliance standards, Fowler noted.

"Wearable devices and smartphones have the technology to collect patient-generated health data (PGHD) that could expose sensitive health data, but the regulation seems to be far behind," he wrote.

RELATED: From weaponized AI to threats against the vaccine rollout, here are 6 cybersecurity trends to watch in 2021

Most wearable users think that cybercriminals will not be interested in how many steps they take or how long they sleep. Fowler notes that all data are valuable, and, as the technology of wearables expands, so do the types and accuracy of data that are collected on users. The data could be used to carry out other attacks, to commit fraud or extortion or to obtain more targeted health information, the researchers wrote in the report.

The data breach, while seeming to be somewhat benign due to the lack of Social Security numbers or credit card info, actually contains a significant amount of information that could be useful for criminals, according to Erich Kron, security awareness advocate at KnowBe4, a provider of security awareness training.

"The fact that this information, which includes GPS logs of individuals, is the kind of information that will cause a collective groan of pain from executive protection teams and physical security practitioners alike. This information makes it much easier for bad actors to locate where people are living or staying, and can expose patterns of travel," Kron told Fierce Healthcare via email.