Over 60 million wearable, fitness tracking records exposed via unsecured database

Updated: Data sources included Apple's HealthKit and Fitbit.
Written by Charlie Osborne, Contributing Writer

Update 25.1.22: Updated for further clarity. Following an investigation, a Strava spokesperson told ZDNet that there was no breach of data due to GetHealth's unsecured server. Furthermore, Strava has never experienced a data breach. 

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth. 

Based in New York, GetHealth describes itself as a "unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps." The firm claims that the GetHealth platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit. 

On June 30, 2021, the team discovered a database online that was not password protected. 

The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information -- some of which could be considered sensitive -- such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets. 

While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple's HealthKit.


"This information was in plain text while there was an ID that appeared to be encrypted," the researchers said. "The geo location was structured as in "America/New_York," "Europe/Dublin" and revealed that users were located all over the world."


"The files also show where data is stored and a blueprint of how the network operates from the backend and was configured," the team added.

References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm's CTO reached out, informed him that the security issue was now resolved, and thanked the researcher. 

"It is unclear how long these records were exposed or who else may have had access to the dataset," WebsitePlanet said. "[...] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access."

ZDNet has reached out to GetHealth with additional queries and we will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards