The biggest risk of using fitness trackers to monitor health
Fitness trackers, which help keep track of sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin and Oura. While these devices are growing in popularity—and have legitimate uses—consumers don’t always understand the extent to which their information can be accessed or intercepted by third parties. This is especially important because people can’t just change their DNA sequencing or heart rhythm like they can a credit card or bank account number.
“Once the toothpaste is out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer at computer security company McAfee.
The holiday season is a popular time to buy health supplies for consumers. Here’s what you should know about the security risks associated with fitness trackers and personal health data.
Stick with a name brand, even if they are hacked
Exercise equipment can be expensive, even without accounting for inflation, but don’t be tempted to skimp on safety to save a few bucks. While a lesser-known company might offer more bells and whistles at a better price, an established vendor that gets breached is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director at cybersecurity company Gen Digital.
To be sure, data compromise issues, from criminal hacks to the accidental sharing of sensitive user information, can — and have — plagued big-name players, including Fitbit, which Google bought in 2021, and Strava. But still, security experts say it’s better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation for maintaining them.
“A smaller company might just go bankrupt,” Roundy said.
Fitness app data is not protected as health information
There may be other concerns beyond having a person’s sensitive information exposed in a data breach. For example, fitness trackers typically connect to a user’s phone via Bluetooth, leaving personal data vulnerable to hacking.
Also, the information that fitness trackers collect is not considered “health information” under the federal HIPAA standard or state laws such as California’s Confidentiality of Medical Information Act. This means that personally identifiable data can potentially be used in ways that a consumer may never expect. For example, the personal information may be shared with or sold to third parties such as data brokers or law enforcement, said Emory Roane, policy adviser at the Privacy Rights Clearinghouse, a consumer privacy, advocacy and education organization.
Some fitness trackers may use consumers’ health and wellness data to generate ad revenue, so if that’s a concern, make sure there’s a way to opt out. Review the vendor’s terms of service to understand the policies before purchasing the fitness tracker, Roundy said.
Default social, location settings may need to be changed
The default settings of a fitness tracker may not offer the strictest security controls. To increase protection, look at what settings can be adjusted, such as those related to social networks, location and other information that can be shared, said Dan Demeter, security researcher at cybersecurity provider Kaspersky Lab.
Depending on the state, consumers can also opt out of the sale or sharing of their personal information to third parties, and in some cases those rights are expanded, according to Roane.
Certainly, device users should be careful about what they post publicly about their location and activities, or what they allow to become public by default. This data can be searchable online and used by bad actors. Even if they are not acting maliciously, third parties such as insurance companies and employers can gain access to this type of public information.
“Users expect their data to be their data and use it the way they want it to be used,” Roane said, but that’s not necessarily the case.
“It’s not just about current data, but also about past data,” Demeter said. For example, a bad actor can see all the times the person runs – which days and hours – and where, and use it to their advantage.
There are also a number of digital scams where criminals can use information about your location to make an opportunity appear more plausible. They may claim things like, “I know you lost your wallet somewhere, which lends credibility to the scammer’s story,” Grobman said.
Location data can prove problematic in other ways as well. Roane gives an example of a woman seeking reproductive health care in a state where abortion is illegal. A fitness tracker with geolocation services enabled could collect information that could be subpoenaed by law enforcement or be bought by data brokers and sold to law enforcement, he said.
Use strong passwords, two-factor authentication, and never share credentials
Be sure to secure your account by using a strong password that you don’t use with another account, and enable two-factor authentication for the associated app. And don’t share credentials. It’s never a good idea, but it can have particularly devastating consequences under certain circumstances. For example, a victim of domestic violence can be tracked by her abuser, assuming he had access to her account, Roane said.
Also, make sure to keep your device and app up to date with security patches.
While nothing is complete proof, the goal is to be as certain as possible. “If someone tries to profit from our personal information, we just make their lives more difficult, so it’s not that easy to hack us,” Demeter said.