Skip Navigation

Health and Fitness Data

Health and fitness are perennially popular sources of revenue for numerous companies, including gyms, spas, and – yes – technology companies. Health and fitness websites abound online, numerous apps in this category can be found for Android and iOS phones, and technology even allows for connected, wearable devices to monitor a person’s activities throughout the day. Unfortunately, all this technology comes at a high privacy cost, since health-related information tends to be especially sensitive.

Page Contents

Overview

The typical user of health and fitness apps and devices has a limited understanding of how much data these things collect. They also tend to underestimate the potential negative consequences resulting from the misuse of health data. Furthermore, they tend to minimize the cybersecurity risks of these devices, essentially believing that, while data breaches and leaks happen, the chances of that leak happening to “me” is smaller than it actually is.1 Curiously, users of this technology also seem to be perfectly willing to share their health information with friends, work colleagues, and even random Internet strangers, yet they aren’t as comfortable sharing their health information with their own doctors.2 This situation is puzzling given that the medical profession is one of the only industries in the United States that is subject to meaningful federal privacy regulations.

Health information is collected by a number of entities, apps, and devices. Medical equipment used in doctors’ offices and hospitals is subject to privacy regulations but can leak sensitive health information in the case of a device backdoor or a cyberattack. Pharmacies are ordinarily subject to similar privacy regulations as doctors, but they have ways to get around these privacy requirements and share patient information. Direct-to-consumer health services are generally not subject to privacy regulations and include home DNA test kits, health-related smartphone apps, fitness trackers, and connected sex toys. All this health data can be aggregated in unexpected ways using data fusion techniques, leading to potential adverse consequences. These consequences can come years in the future, well after the data have been collected, as new processing and artificial intelligence (AI) algorithms are developed.

In this section, we’re going to take a deep dive into health and fitness data. We’ll start by looking at federal privacy regulations that are in place under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). From there, we’ll quickly see just how limited HIPAA is, since it only actually applies to health insurance companies, healthcare providers, and some directly associated businesses. Companies that do not fit into one of those categories can collect all kinds of sensitive information and share it with little to no oversight.

Section Contents

Notes and References

  1. Sandra Gabriele and Sonia Chiasson. “Understanding Fitness Tracker Users’ Security and Privacy Knowledge, Attitudes and Behaviours.” CHI Conference on Human Factors in Computing Systems (CHI ‘20). Honolulu, HI, April 25-30, 2020. 

  2. Mohamed Abdelhamid. “Fitness Tracker Information and Privacy Management: Empirical Study.” Journal of Medical Internet Research 23(11). November 2021. 

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.