The records are said to come from GetHealth, a company who’s platform also takes health-related data from places like Misfit Wearables, Microsoft Band, Strava and Google Fit. Sensitive information was included in the data repository, including names, birth dates, weight, gender, height, GPS logs, etc.
Cybersecurity researcher Jeremiah Fowler and Website Planet’s research team found the unsecured database on June 30th, 2021. The 16.71 GB database contained over 61 million user records. After sampling a data set of around 20,000 records, the majority of the information came from HealthKit and Fitbit. After notifying GetHealth, the company quickly secured the system and thanked Fowler for the notification.
WebsitePlanet noted it was unsure of how long the records were left out in the open, as well as if anyone had access to the data. There is no implication that customer or user data was at risk, or that GetHealth had intended any wrongdoing on their part.
While it’s uncertain whether threat actors took advantage of the open dataset or not, it’s a reminder to us that this is not an uncommon incident. These types of unsecured records show up frequently on the internet and contain all sorts of personal information. Credit card info, social security numbers, addresses, amongst other things are easily accessible to someone looking to exploit what they can find.
In this scenario, the information came from fitness trackers. But other medical and healthcare information could easily be exposed due to insecure cybersecurity infrastructure. A lack of training, improper monitoring as well as susceptibility to outside threats can increase the risk for potential abuses. Make sure your organization stays up to date on security best practices in order to mitigate a potentially damaging situation.
Need an estimate? Request a quote below!