Fitness trackers, which help keep tabs on sleep quality, heart rate and other biological metrics, are a popular way to help Americans improve their health and well-being.
There are many types of trackers on the market, including those from well-known brands such as Apple, Fitbit, Garmin and Oura. While these devices are growing in popularity — and have legitimate uses — consumers don’t always understand the extent to which their information could be available to or intercepted by third parties. This is especially important because people can’t simply change their DNA sequencing or heart rhythms as they could a credit card or bank account number.
“Once the toothpaste is out of the tube, you can’t get it back,” said Steve Grobman, senior vice president and chief technology officer of computer security company McAfee.
The holiday season is a popular time to purchase consumer health devices. Here’s what you should know about the security risks tied to fitness trackers and personal health data.
Stick to a name brand, even though they are hacked
Fitness devices can be expensive, even without taking inflation into account, but don’t be tempted to skimp on security to save a few dollars. While a less-known company may offer more bells and whistles at a better price, a well-established provider that is breached is more likely to care about its reputation and do things to help consumers, said Kevin Roundy, senior technical director at cybersecurity company Gen Digital.
To be sure, data compromise issues, from criminal hacks to unintended sharing of sensitive user information, can — and have — hit well-known players, including Fitbit, which Google bought in 2021, and Strava. But even so, security professionals say it’s better to buy from a reputable manufacturer that knows how to design secure devices and has a reputation to upkeep.
“A smaller company might just go bankrupt,” Roundy said.
Fitness app data is not protected like health information
There can be other concerns beyond having a person’s sensitive information exposed in a data breach. For example, fitness trackers generally connect to a user’s phone via Bluetooth, leaving personal data susceptible to hacking.
What’s more, the information that fitness trackers collect isn’t considered “health information” under the federal HIPAA standard or state laws like California’s Confidentiality of Medical Information Act. This means that personally revealing data can potentially be used in ways a consumer might never expect. For instance, the personal information could be shared with or sold to third parties such as data brokers …….