An unsecured database containing IoT health and fitness tracking device data was found exposing more than 61 million records tied to fitness app users from across the globe. The database belonged to GetHealth, a New York-based unified solution for health and wellness apps, including FitBit, GoogleFit, 23andMe, and a host of others.
However, other apps and devices may have also been impacted as the GetHealth platform syncs data from a long list of popular fitness and health apps.
The WebsitePlanet research team and security researcher Jeremiah Fowler discovered the massive data leak in late June and immediately notified GetHealth of the findings. The database was secured the following day.
In total, the database contained 16.71 GB of information tied to user profiles, fitness, heart rates, pulse, sleep records, and trackers, among other daily health-related information. Many of the internal database records contained plain text user data with a host of highly sensitive information, including names, dates of birth, physical descriptions, and geo location.
In one instance, a sampling of 20,000 records belonged to some of the most popular health and fitness trackers. A FitBit dataset appeared 2,766 times. Certain files even displayed where the data was stored on the device, as well as a blueprint of the backend network operations and configurations.
One of the largest recordsets was labeled Apple HealthKit, which appeared 17,764 times. The concern is that the Healthkit collects complex metrics like blood pressure, glucose, body weight, and other personal health data, operating silently in the background on any iPhone permitted by the user.
“Once an iPhone user gives permission to Apple’s health and fitness app it uses sensors in the phone, connected wearables, and smart devices to collect more health data than many of the other devices or applications,” researchers explained.
This type of data could be used in targeted phishing attacks or even to obtain further health information from users.
The researchers are unsure of how long the data was exposed and whether other parties gained access to the database. The team was unable to determine just how many users were connected to the database.
The researchers stressed the intent of the report was not to imply wrongdoing by GetHealth, nor to imply user data was explicitly at risk to nefarious activities. Rather, the research is designed to spotlight ongoing IoT, wearable device, and health app risks, including how the data is stored.
The report joins previous research detailing ongoing privacy and security risks posed by a vast majority of health apps. The most recent data from Knight Ink and Approov found that the 30 of most popular mHealth apps are highly vulnerable to API cyberattacks that could enable unauthorized access to full user and patient records.
Overall, the researchers found at least 23 million mHealth users have been exposed, at a minimum, through the health apps. And all 30 of the assessed apps were vulnerable to broken object level authorization (BOLA) attacks, posing tangible risks to the health data collected and stored within the platforms.
Further, previous research found that the majority of all mHealth and mental health apps routinely share data with third parties without user consent. Those issues are much more common and have led to lawsuits against several fertility app developers over their questionable data sharing practices.
The crux of the ongoing challenges of health apps are that they’re not covered by the The Health Insurance Portability and Accountability Act. But it’s Congress that bears the responsibility for securing health apps, not the Department of Health and Human Services.
With the ongoing pandemic, health app privacy has taken a back seat to efforts aimed at curtailing the spread of COVID-19. For now, educating consumers on health app risks and pressuring third-party vendors to better secure the data and improve transparency on data sharing, in tandem with independent research on app vulnerabilities will be pivotal to better protecting consumer data privacy.