An unsecured database of over 61 million records related to wearable technology and fitness services has been exposed online. On Monday, WebsitePlanet, along with cybersecurity researcher Jeremiah Fowler, discovered that the database was owned by GetHealth.
New York-based GetHealth describes itself as “a unified solution for accessing health and wellness data from hundreds of wearables, medical devices and apps”. The company’s platform is able to collect health-related data from sources such as Fitbit, Misfit Wearables,Band, Strava and Get fit.
On June 30, 2021, the team discovered a database online that was not password protected. The researchers said the data store contained over 61 million records, including large amounts of user information – some of which could be considered sensitive – such as names, dates of birth, weight, height, gender, and GPS logs, among other records.
When they sampled about 20,000 records to review the data, the team found that most of the data sources came from Fitbit and Apple’s HealthKit.
“This information was in clear text, while there was an ID that appeared to be encrypted,” the researchers said. “The geographic location was structured into“ America / New_York ”and“ Europe / Dublin ”and revealed that the users were all over the world. The files also show where the data is stored and how the network works and has been configured in the background, ”the team continued.
References to GetHealth in the 16.71GB database pointed to the company as a potential owner, and after the data was validated on the day of the discovery, Fowler privately shared his findings with the company. GetHealth responded quickly and the system was backed up within hours. On the same day, the company’s CTO called in and announced that the security problem had now been resolved.
“It is unclear how long these records were open or who else had access to the record,” said WebsitePlanet. “We do not accuse GetHealth, its customers or partners of any wrongdoing. We also do not assume that any customer or user data was at risk. We were unable to determine the exact number of people affected before the database was blocked from public access. “