- Fitness trackers and apps from companies including Google, Apple, Garmin and Strava offer a convenient way to stay on top of health and wellness, monitoring body metrics like sleep quality and heart rate.
- But even the biggest brands focused on security and reputation can be hacked or share personal data in other unintended ways with serious, sometimes devastating, consequences.
- Data collected by a fitness app is not protected like health information under the law, making social and location settings, and login credentials, critical for a user to set properly before making these devices part of their daily life.
Fitness trackers, which help keep tabs on sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin and Oura. While these devices are growing in popularity — and have legitimate uses — consumers don't always understand the extent to which their information could be available to or intercepted by third parties. This is especially important because people can't simply change their DNA sequencing or heart rhythms as they could a credit card or bank account number.
"Once the toothpaste is out of the tube, you can't get it back," said Steve Grobman, senior vice president and chief technology officer of computer security company McAfee.
The holiday season is a popular time to purchase consumer health devices. Here's what you should know about the security risks tied to fitness trackers and personal health data.
Stick to a name brand, even though they are hacked
Fitness devices can be expensive, even without taking inflation into account, but don't be tempted to skimp on security to save a few dollars. While a less-known company may offer more bells and whistles at a better price, a well-established provider that is breached is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director at cybersecurity company Gen Digital.
To be sure, data compromise issues, from criminal hacks to unintended sharing of sensitive user information, can — and have — hit well-known players, including Fitbit, which Google bought in 2021, and Strava. But even so, security professionals say it's better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to upkeep.
"A smaller company might just go bankrupt," Roundy said.
Fitness app data is not protected like health information
There can be other concerns beyond having a person's sensitive information exposed in a data breach. For example, fitness trackers generally connect to a user's phone via Bluetooth, leaving personal data susceptible to hacking.
What's more, the information that fitness trackers collect isn't considered "health information" under the federal HIPAA standard or state laws like California's Confidentiality of Medical Information Act. This means that personally revealing data can potentially be used in ways a consumer might never expect. For instance, the personal information could be shared with or sold to third parties such as data brokers or law enforcement, said Emory Roane, policy counsel at Privacy Rights Clearinghouse, a consumer privacy, advocacy and education organization.
Some fitness trackers may use consumers' health and wellness data to derive revenue from ads, so if that's a concern, you'll want to make sure there's a way to opt out. Review the provider's terms of service to understand the its policies before you buy the fitness tracker, Roundy said.
Default social, location settings may need to be changed
A fitness tracker's default settings may not offer the most stringent security controls. To boost protection, look at what settings can be adjusted, such as those related to social networking, location and other sharable information, said Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab.
Depending on the state, consumers can also opt out of the sale or sharing of their personal information to third parties, and in some cases, these rights are being expanded, according to Roane.
Certainly, device users should be careful about what they post publicly about their location and activities, or what they allow to become public by default. This data could be searchable online and used by bad actors. Even if they aren't acting maliciously, third parties such as insurers and employers could get access to this type of public information.
"Users expect their data to be their data and use it how they want it to be used," Roane said, but that's not necessarily the case.
"It's not only about present data, but also about past data," Demeter said. For instance, a bad actor could see all the times the person goes running — what days and hours — and where, and use it to their advantage.
There are also a number of digital scams where criminals can use information about your location to make an opportunity seem more plausible. They can claim things like, "I know you lost your wallet at so and so place, which lends credibility to the scammer's story," Grobman said.
Location data can prove problematic in other ways as well. Roane offers the example of a women seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled could collect information that could be subpoenaed by law enforcement or be purchased by data brokers and sold to law enforcement, he said.
Use strong password, two-factor authentication, and never share credentials
Be sure to secure your account by using a strong password that you don't use with another account and enabling two-factor authentication for the associated app. And don't share credentials. That's never a good idea, but it can have especially devastating consequences in certain circumstances. For example, a domestic violence victim could be tracked by her abuser, assuming he had access to her account credentials, Roane said.
Also be sure to keep the device and the app up-to-date with security fixes.
While nothing is foolproof, the goal is to be as secure as possible. "If somebody tries to profit from our personal information, we just make their lives harder so it's not that easy to hack us," Demeter said.