A recent database leak of Apple HealthKit and Google FitBit services has put over 61 million people’s data potentially at risk of compromise.
The 16.7GB database, which was left password protection, is owned by GetHealth, a US-based provider of health data services.
Data points exposed in the leak included personal information such as names, dates of birth, gender, and location. The individual’s weight and height were also included in the database.
Jeremiah Fowler, the security researcher who uncovered the database, said, “I immediately sent a responsible disclosure notice of my findings and received a reply the following day thanking me for the notification and confirming that the exposed data had been secured.”
According to Fowler, it was not clear how long the data was exposed, or whether or not they had been accessed by malicious actors.
“We are only highlighting our discovery to raise awareness of the dangers and cyber security vulnerabilities posed by IoT [internet of things], wearable devices, fitness and health trackers, and how that data is stored,” he said.
Most owners of wearable devices might assume that no cyber-criminal could possibly be interested in their daily step count. However, the information could potentially be used to track the movements of someone who walks their dog at the same time every day–and therefore, when they are unlikely to be at home.
As wearable technology is further developed, these devices collect more specific and intimate data that could be of value to bad actors. Cybercriminals could use data on people’s weight loss goals to target them with phishing emails using diet or personal training plans as a lure.
Hannah Hart of ProPrivacy encouraged users of fitness-tracking apps and devices to check their privacy settings immediately, and be vigilant against possible follow-on incidents.
“While wearable devices have made it that much easier to track our weight, sleep patterns, and even our relationship with alcohol – we hardly want this information to be widely accessible as a person’s health history should be utterly confidential,” she said. “While GetHealth has since secured the affected database, it is apparently yet unclear who might have had access to the previously unsecured database and for how long.”
This data breach highlights the need for heightened data privacy and security measures–and moving away from simpler methods of data access management, such as passwords. Crafting and implementing data-centered security policies can go a long way in reducing the risk. Companies must employ and utilize as many protection methods as possible.
The data breach also highlights privacy concerns around wearable technology itself. In the US, for example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects patients from having their health data being disclosed without their consent. While HIPAA regulations would usually protect the data, the information collected by wearables isn’t considered protected health information.
Tech firms have an opportunity to look into and navigate potential future data breaches, to mitigate the risk of data breaches, and prevent bad actors from accessing sensitive personal data.
