Posted on September 14, 2021 at 6:12 PM
An unsecured database with more than 61 million records linked to wearable devices and fitness services has been exposed online.
In a report issued on Monday, it has been revealed that the exposed data belongs to the GetHealth Company.
Details belong to GetHealth
GetHealth is a healthcare firm based in New York that deals in wearables, medical devices and applications. The firm’s objective is to deliver a “unified solution to access health and wellness data.”
The platform uses these technological devices to gain access to health-related data from various sources. Among the sources that the company pulled its health information includes Microsoft Band, Fitbit, Strava, Misfit Wearables and Google Fit.
On June 30, the team behind the recent expose stated that a database had been detected online and was not protected by any passwords, making it prone to infiltration by threat actors. The report revealed that more than 61 million records found in the database were exposed online.
Some of the exposed information pertains to sensitive user details such as the names, GPS logs, dates of birth, height, weight, gender, among others.
When 20,000 records from the posted online data were analyzed and verified, it was revealed that most of the data were lifted from Apple’s HealthKit and Fitbit. The researchers also added that the details had been written in plain text, but there was an encrypted identification.
“The geolocation was structured as in ‘America/New York’ ‘Europe/Dublin’, and revealed that the users of the wearable devices and fitness services were situated around the world.” The report also added that “the files also show where data is stored and a blueprint of how the network operates from the backend and was configured.”
The data was verified to belong to GetHealth, because of the 16.71 references showing that the company was the records’ owner. As soon as the data was analyzed, GetHealth was informed of the findings on the same day. GetHealth quickly responded to the matter, and the affected systems were secured in a few hours.
When the company was informed of the findings, the CTO of GetHealth reached out to the researchers and informed them that the security error had been fixed. The firm was also grateful for the researchers’ efforts to ensure that no further damage was caused.
“It is unclear how long these records were exposed or who else may have had access to the data set. We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access,” the report stated.
Increased Attacks on Fitness Trackers
There have been increased cases of vulnerabilities on fitness trackers. Fitness trackers are technological devices whose purpose is to understand and improve the quality of life by providing timely information on any threats to a person’s health.
For the device to collect health information accurately, it needs to access private details regarding a user’s life, health, habits and more.
A recent report from the Pew Research Center stated that around 20% of adults living in the United States have access to a wearable device or fitness tracker. These devices store a lot of health information on users over the years, and they carry a heavy privacy risk to users.
Besides, most of these devices are not built to be anonymous rather;, they obtain real information to create user accounts. Users of the devices are required to provide personal information to create their profiles. This makes it easy for hackers to pinpoint the origin of the data if there is a breach.
There are several privacy concerns related to the use of wearable devices. First, there are no set privacy standards regarding these devices. Hence, companies can obtain access to this information and use it for other purposes such as advertising and marketing. The data can also be shared with third-party firms that require the data for company purposes.
The other issue faced by those who use these devices is that in as much as there is an “end of use policy”, there is no certainty as to how long a company will store the data. In this case, users can stop using the wearable device, but their information will be stored in the database indefinitely. This means that their private details will still be accessible even when they no longer use the devices.