As reported by cybersecurity researcher Jeremiah Fowler on WebsitePlanet, 61 million users of fitness wearable devices ended up with their data exposed online, as a centralized database containing their information was found unprotected.
The owner of the exposed database, according to analytics procedures by Fowler and his team, was GetHealth, an API touted as an “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.”
Further investigation revealed that the data contained potentially sensitive information, including peoples’ names, dates of birth, weight, height, gender and even geo location. Additionally, the researchers found out that the flow of this information could be traced back to sources like Fitbit, Microsoft Band, Misfit Wearables, Google Fit and Strava, and their users were from all around the world. All of it was stored in plain text, while a single ID was encrypted.
After confirming ownership of the data, Fowler privately contacted GetHealth, whose response to the notification was quick. The company, later on the same day, thanked the researcher, asserting that the issue had been resolved.
It is not clear, though, for how long the 16.71 GB of users’ data were kept exposed, nor even who might have had access to the database during that period.
WebsitePlanet also warns of the dangers surrounding health data stored in wearable devices: “It is a well-known fact that the health industry experiences more data breaches than any other sector. According to a report conducted by Trustwave, healthcare data can sell for up to $250 per record on the black market or dark web. That is a considerable sum compared to credit card records that are valued at an estimated $5.40.”