Researchers: 61M Health IoT Device User Records ExposedDatabase Belonged to a Firm That Apparently Just Shut Down
An unsecured database belonging to an apparently recently defunct firm exposed 61 million records of wearable health and fitness device users on the internet, say the security researchers who discovered the non-password-protected database in cooperation with the WebsitePlanet research team.
The exposed records were related to IoT health and fitness tracking devices used by consumers worldwide, says researcher Jeremiah Fowler, co-founder of consultancy Security Discovery, in a report released Monday on the WebsitePlanet blog.
"The most disturbing part of the discovery was that many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender, geo location, and more," Fowler writes in the report.
"This information was in plain text while there was an ID that appeared to be encrypted. The geo location was structured as in 'America/New_York', 'Europe/Dublin' and revealed that users were located all over the world."
It is uncertain how long the data was left exposed, he says.
Did Company Shut Down?
The data appears to have been gathered by GetHealth.io, a New York City-based company that offered a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, Fowler writes.
He says that upon his findings, he "immediately sent a responsible disclosure notice" and the next day received a reply thanking him for the notification and confirming that the exposed data had been secured.
Efforts by Information Security Media Group to contact GetHealth.io for comment on the researchers' findings were unsuccessful. On Tuesday, the company's website appeared to have been taken down, and the firm's LinkedIn profile noted that "zero" employees worked there.
"They took their site offline the night before publication [of the security report] and emails have bounced back," Fowler tells ISMG. "It’s unfortunate because we only wanted to highlight the dangers of wearables. We also had no idea that they would stop operations."
Fowler tells ISMG that it is his understanding that GetHealth.io "partnered with apps or third parties, and users agreed to terms and conditions to share their data."
"In a limited sampling of 20,000-plus records, some of the top wearable health and fitness trackers appeared as a [GetHealth.io] 'source,'" Fowler says in the report.
Fowler says that according to GetHealth’s website, before it was taken down, the firm said it "can sync data" from a wide assortment of companies or devices, including Fitbit, Google and Apple.
Unfortunately, discoveries involving the exposure of health information contained in unsecured databases are not uncommon occurrences.
For instance, last October, an unsecured Amazon Web Services database belonging to India's Dr Lal Path Labs, which offers diagnostic testing, was found exposing approximately 50GB of patient data, including notes related to the results of COVID-19 tests, according to an Australian security researcher (see: Unsecured AWS Database Left Patient Data Exposed).
Also in June, Fowler issued a report about discovering another unsecured database - containing over 1 billion records related to CVS Health website visitor activity (see: Researcher: 1 Billion CVS Health Website Records Exposed).
Sometimes IT makes changes to these systems and afterwards the security is not checked, he says. "In other cases, these systems have vulnerabilities that criminals exploit before the hosting organization patches them or puts compensating controls in place."
Occasionally, internet-facing systems have misconfigured security settings due to lack of knowledge or experience, he notes.
"Lastly, sometimes assumptions are made about the hosting provider securing the internet-facing systems. For example, Amazon and Microsoft have defined boundaries of responsibilities for their respective cloud hosting services," he says.
"Often times these boundaries put the responsibility of properly securing the servers built in these environments on the customer."
In order to help prevent these types of incidents, entities must ensure their systems are secured before putting them on the internet, and then use change management processes to ensure changes are secured, as well, Fricke says.
Entities should review security post-change, and lastly, routinely scan the internet-facing systems for vulnerabilities and track remediation, Fricke suggests.
"The criminals are scanning the internet all the time, looking for vulnerable systems. We need to be scanning our systems too."