Wearable data exposure flagged

A viral post is recirculating a 2021 case in which an unsecured database exposed about 61 million wearable and fitness records tied to services including Fitbit and Apple HealthKit. (fiercehealthcare.com) Security researchers said the database belonged to GetHealth, a New York company that aggregated data from apps and devices, and that the records were stored without password protection. The exposed fields included sleep, heart rate, weight, gender, geolocation and device identifiers. (scworld.com) Reports published on September 13 and 14, 2021 said the data was found in plain text and traced to multiple platforms, including Fitbit, Apple HealthKit, Google Fit, Strava and others. Researchers said GetHealth secured the database after disclosure. (appleinsider.com) The episode centered on a data pipeline, not a confirmed hack of Apple’s Health app or Fitbit’s own systems. Wearable data often moves through outside developers and analytics services, and each extra handoff creates another place where a misconfigured server can expose records. (solutionsreview.com) That gap sits outside the rules many consumers associate with medical privacy. The United States Department of Health and Human Services says once health information is sent to an app that is not a Health Insurance Portability and Accountability Act covered entity or business associate, the Health Insurance Portability and Accountability Act no longer protects that copy of the data. (hhs.gov) Regulators have been tightening that area since 2024. The Federal Trade Commission’s updated Health Breach Notification Rule took effect on July 29, 2024 and requires vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act to notify users, the agency and sometimes the media after breaches of unsecured health data. (federalregister.gov) States have moved too. Washington’s My Health My Data Act says health data collected by noncovered entities, including some apps and websites, does not get the same protections and imposes new consent and disclosure rules on companies handling consumer health data. (app.leg.wa.gov) Apple says HealthKit data, except Medical ID, is encrypted on device and inaccessible by default when an iPhone is locked with a passcode, Touch ID or Face ID. Google says Fitbit uses Google security practices and gives users controls over how their data is used and shared. (apple.com) (safety.google) The Federal Trade Commission has also targeted the sale of sensitive location data, including data linked to visits to health facilities. In December 2024, the agency said a settlement with Mobilewalla would bar the company from selling sensitive location data without taking reasonable steps to verify user consent. (ftc.gov) The old GetHealth exposure is back in circulation because the basic risk never depended on a smartwatch alone. The weak point was the network of apps, brokers and back-end services that can sit between a wrist sensor and the company a user thinks they are trusting. (fiercehealthcare.com)