Fitness trackers like Fitbit, WHOOP, and Garmin have increased significantly in popularity over the past few years, due to the release of many new options, as well as an increased interest in wearable health trackers due concern over Covid-19.
More than 1 in every 5 Americans now owns a fitness tracker of some kind. Go to any big city, and within the first few minutes, you’ll almost certainly see people walking around with the newest gear. It’s becoming impossible to escape, and with good reason. Fitness trackers provide a lot of valuable information, helping you manage your heart rate, diet, and sleep, all of which are important for all-around fitness.
However, they come with a cost: lack of privacy. In recent months, several of the major fitness tracker brands have come under fire for poor handling of data security, resulting in the exposure of customers’ private health information.
Just this year over 61 million users personal health records from trackers including Fitbit and Apple health were found on a non-password-protected database, freely accessible to anyone who could find it. Many of the records included sensitive information like name, date of birth, height, weight, and geolocation.
Health and fitness are incredibly personal. There’s a reason that the Health Insurance Portability and Accountability Act (HIPAA) protects your medical records. It is the responsibility of anyone dealing with health records to keep that information private, so the fact that wearables companies are leaving their data unencrypted and unprotected is worrying.
The Challenge With Wearables
Part of the issue with wearables is that they fall in a sort of blurry space. They aren’t typically considered medical devices, yet they collect data that could fall into this category. There are no clear HIPAA regulations covering when wearables are used purely for personal use, but when the data is shared, things get a lot more messy and it doesn’t seem like regulation has caught up quite yet.
One of the reasons for this might be that to most people, the data from their wearable doesn’t seem all that appealing to someone looking to steal it. A small bit of information on daily step count or sleep time doesn’t seem all that useful. And that’s true. Data only on step counts probably won’t tell you that much about a person, but if you start to combine it with other information, like heart rate, BMI, calorie burn counters, and more (which are tracked by quite a few different wearables), you can form a pretty full picture of their health, which could then be used maliciously.
The Problem Is Only Going To Get Worse
As fitness trackers continue to grow in popularity, the problem is only going to get worse. The technology will continue to evolve and improve, resulting in more and more data being collected. And as the data lake grows, it will become harder and harder to manage. It’s easy to protect a small amount of data, but really hard to protect a lot of it. The more you expand and the more resources you use, the more potential failure points get introduced.
And health-related data is under the greatest threat of all. The healthcare industry experiences more data breaches than any other industry. And that’s because the data is so valuable, selling for upwards of $250 on the black market, nearly 50x as much as credit card information.
If your fitness data is out there, you better believe someone wants it. And if it’s not protected properly, it’s only a matter of time until it’s found.
What Can You Do About it?
- Research wearables before buying one, with a focus on understanding the data privacy measures each company uses to protect your data. Look for companies that make a special effort to reinforce their commitment to encryption and minimal third-party data sharing. It might also be worth looking at articles like this one, which summarize privacy policies for you.
- If you already have a wearable device or fitness tracking app, make sure to edit your settings for maximum data security. Most devices/apps have settings that can restrict how your data is used, and you want to make sure the use of your data is as limited as possible beyond what is necessary to provide you the information you need.
If you have Apple Health, there are a lot of settings you can mess with to decrease data access and even delete data completely.
If you don’t want the app to be able to track you at all, for example, go to your phone settings > Privacy > Motion & Fitness, and then turn off fitness tracking. This will block the app’s access to any built in sensors on your phone that track your activity.
If you want to use the app, but want to limit data use, take a minute to look at which apps connect out from it. To do this, open Apple Health, go to the top right corner, and then go to Privacy > Apps.
Some apps can add data to your health app, while others can take data, based on the settings you give.
Look through all of the apps and for any apps you don’t need, disable their permissions, consider disconnecting the app, and delete all of the data that has been collected so far.
Apple Health also has an option for sharing your data with trusted friends and family. Make sure to check your settings and ensure that you are not sharing with anyone you do not want to, or who does not need to see your data.
You can read Apple health’s official statement about privacy on Apple Health here.
Like Apple Health, Google Fit provides options to delete your data. If you go to your profile and settings, there should be an option to “manage your data”, where you can see what data has been collected and delete some or all of it.
You can also manage which apps can read from and write to Google Fit. From settings, “manage connected apps” will let you disconnect any apps you don’t want.
A word of warning, though: Google is notorious for collecting massive amounts of information (often secretly) and making it very difficult to actually turn the tracking off.
It appears that Google Fit data is also accessible publicly (though it is anonymized) through the Google Fit API, which you can read about here.
You can erase a physical Fitbit device (see here), but deleting your overall data in Fitbit’s databases appears more difficult. You can request that your account be deleted from the Fitbit databases, but it could still take up to 90 days to actually clear out. And some users report that their data has still not been deleted after that time (see this discussion thread for more on the topic).
If Google’s data collection is concerning to you, you might want to stay away from Fitbit as they are now owned by Google.
Garmin has a lot of options for data deletion. You can delete individual activities and weigh-ins, full days of data, or even your entire data history (see here).
You can also delete your Garmin account, which, according to Garmin, means that they will “permanently delete data for all Garmin sites, apps, and services using [your] account.” They also have a policy to automatically delete your account after two years of inactivity.
Garmin also doesn’t sell any of your health data to third parties, and only shares it with your consent. You can read more about this policy on their privacy page.
To delete data in WHOOP, try these instructions. Unlike some of the other trackers where you can delete all data, it appears that WHOOP only lets you delete the last 30 days.
If you cancel your membership, WHOOP will not automatically delete your data, but you can put in a request to have it deleted.
You can view WHOOP’s privacy principles here.
Fitness trackers are increasing in popularity, and if you don’t already have one, you’ll likely be thinking about it sometime in the near future.
They provide a lot of tools for helping you improve your health, but come with a major concern of data privacy. Several different wearable trackers have been implicated in data breaches–caused by poor data security–in the last few years. These breaches are quite harmful, as they involve sensitive personal health data.
Although health data is typically highly protected under HIPAA, the policy for wearables has not caught up yet and fitness tracker data is not strongly protected.
To reduce the likelihood of your data being exposed, take extra care to consider the privacy policies of different companies before purchasing a tracker. And if you already have one, try to research what steps are available to limit your data collection and sharing to only that which is necessary to give you the health benefits you desire.