Livity LogoLivity
Back to blog
health data privacyfitness trackerdata privacyHIPAAon-deviceapple watch

Your Fitness Tracker Knows Everything About You. Who Else Does?

In 2021, a security researcher discovered an unsecured database containing 61 million fitness tracker records from Apple and Fitbit users — names, birthdates, weight, height, and location data, all sitting in plain text with no password protection.

Person looking at health data on smartphone with data flowing to the cloud

The database belonged to GetHealth, a third-party company most of those users had never heard of. Their data had been collected, aggregated, and stored by a service buried in the terms and conditions of the apps they trusted.

This wasn't an isolated incident. It's how the fitness tracker industry works.

What Your Fitness Tracker Actually Collects

Modern fitness trackers and health apps collect an average of 12 different data types — more than one-third of all categories Apple defines in its App Store privacy labels. Here's what's typically recorded:

  • Heart rate — continuous 24/7 monitoring, including resting, active, and sleeping heart rate
  • Sleep patterns — when you fall asleep, how long you sleep, what sleep stages you cycle through
  • GPS location — your workout routes, where you run, walk, and cycle
  • Body metrics — weight, height, body composition, blood oxygen levels
  • Menstrual cycle data — period dates, symptoms, fertility windows
  • Stress and recovery — HRV-based stress scores, recovery readiness
  • Raw sensor data — accelerometer and gyroscope readings that reveal movement patterns throughout the day

A Surfshark study found that Fitbit collects up to 24 unique data types — the most of any fitness app. Strava uses 21 data types for purposes beyond basic app functionality.

Combined, this data paints an extraordinarily detailed picture of your daily life: where you go, when you sleep, how stressed you are, your physical condition, and your reproductive health.

The HIPAA Gap: Why Your Data Isn't Protected

Here's the part most people don't know: your fitness tracker data is almost certainly not protected by medical privacy laws.

HIPAA — the law Americans assume protects all health data — only applies to "covered entities": hospitals, health insurance plans, healthcare clearinghouses, and their business associates. Consumer tech companies like Fitbit, Garmin, Oura, WHOOP, and Strava are not covered entities.

This means they can legally:

  • Share your health metrics with advertising partners
  • Sell aggregated (and sometimes individual) data to data brokers
  • Transfer your data to new owners if the company is acquired
  • Provide data to insurers or employers through partnerships

And many of them do. A Duke University study found that 79% of popular health and fitness apps share user data with third parties. Only 28% of users were aware this was happening.

The gap between what people expect and what actually happens is enormous. You'd never accept a doctor handing your medical records to an advertiser — but your fitness tracker may be doing something functionally similar.

The Breach Track Record

The fitness and health tech industry's track record with data security is grim:

Major Incidents

GetHealth (2021) — 61 million fitness tracker records (Apple and Fitbit users) exposed in an unsecured database. No password, no encryption, plain text.

UnitedHealth / Change Healthcare (2024) — 190 million health records stolen in the largest digital theft of U.S. medical records. The attacker gained access using stolen credentials with no multi-factor authentication. UnitedHealth paid a $22 million ransom.

MyFitnessPal (2018) — 150 million user accounts breached, exposing usernames, email addresses, and passwords.

Garmin (2020) — Russian hacker group Evil Corp deployed WastedLocker ransomware, taking down all Garmin online services for days. Garmin reportedly paid a $10 million ransom through an intermediary.

Peloton (2021) — An API vulnerability exposed personal data of approximately 3 million users, including full names, emails, ages, and workout stats. Peloton took over 90 days to fix it after being notified.

The Strava Military Problem

Strava's data privacy failures are perhaps the most visceral example of what can go wrong. In 2018, Strava's Global Heatmap — built from users' workout data — inadvertently revealed the locations of secret U.S. and allied military bases in Syria, Afghanistan, and Djibouti. Soldiers had been logging runs on base without realising their routes were being published.

The problem has continued. In 2022, an Israeli NGO planted fake Strava segments inside six top-secret military facilities and identified over 100 individuals, including Mossad personnel. In 2025, French nuclear submarine crew members leaked patrol positions through Strava workouts. In March 2026, a sailor on the French aircraft carrier Charles de Gaulle revealed the ship's location by logging a run on deck.

Location data from fitness trackers has real-world security consequences.

Livity keeps all your health data on your device — nothing is uploaded to external servers. Try it free →

Who's Buying Your Health Data — and Why?

When fitness companies share your data with "third parties," who are those third parties?

Advertisers

A 2023 investigation found that 78% of fitness apps shared data with Meta and Google, even when users had their accounts set to "private." This data feeds targeted advertising. Searched for running shoes lately? Your fitness app may have told Meta you're a runner before you told anyone.

Insurance Companies

Health insurers have begun using wearable data to adjust premiums. Some offer discounts for meeting step goals — which sounds positive until you consider the inverse: data that shows low activity, poor sleep, or high stress could eventually be used to increase premiums. There's no law preventing this for data obtained outside of HIPAA-covered channels.

A Kaiser Family Foundation report found that 21% of employers offering health insurance already collected data from employees' wearable devices.

Data Brokers

Your fitness data can end up in the hands of data brokers who aggregate and resell it. Unlike medical records, fitness tracker data has no specific legal protection against resale. Once it leaves the app, tracking where it goes is nearly impossible.

New Corporate Owners

When Google acquired Fitbit for $2.1 billion in 2019, it gained access to health data from 28 million active users. Google pledged not to use Fitbit data for advertising. But precedent is concerning: when Google acquired Nest in 2014, it initially kept data separate, then connected it to Google's broader ecosystem within a year.

Oura Ring's 2024 partnership with Palantir for "population-level analysis of risk and readiness" — aimed at the U.S. Department of Defence — sparked backlash from users who hadn't signed up to contribute to military health analytics.

On-Device vs. Cloud: Why Architecture Matters

Shield icon with health data symbols representing on-device privacy

The fundamental privacy question is: where does your health data live and who can access it?

Most fitness trackers follow a cloud-first model. Your watch or band collects raw sensor data, sends it to your phone, which uploads it to the company's servers for processing. The insights you see in the app were calculated on their infrastructure, using your data, on their terms.

This model creates multiple points of vulnerability:

  • Data in transit can be intercepted (Bluetooth sniffing, unsecured WiFi)
  • Cloud servers can be misconfigured or breached (GetHealth, UnitedHealth)
  • Server-side data can be accessed by employees, subcontractors, or law enforcement
  • Terms of service can change, expanding how data is used after you've already shared it

The alternative is on-device processing. Apple demonstrated the viability of this approach with Apple Health: all health metrics — trends, highlights, cycle predictions, resting heart rate analysis — are calculated on your iPhone or Apple Watch. Data synced through iCloud uses end-to-end encryption that even Apple cannot decrypt.

The numbers back this up. Research on edge AI in wearables shows that on-device processing reduces data transmission by 97.4% — from 4.2 GB of raw sensor data daily down to just 217 kilobytes of processed insights. The raw data never leaves your wrist.

This isn't just a privacy feature. It's a fundamentally different architecture. Data that never leaves your device cannot be:

  • Exposed in a server breach
  • Sold to data brokers
  • Handed to advertisers
  • Subpoenaed without physical access to your device
  • Transferred to a new corporate owner

What Laws Are Catching Up?

The regulatory landscape is evolving, but slowly:

FTC Health Breach Notification Rule (updated 2024) — Now explicitly covers fitness trackers, health apps, and connected devices. Companies must notify users within 60 days of a breach affecting 500+ individuals.

Washington My Health My Data Act (2024) — The first U.S. state law specifically protecting health data outside of HIPAA. Requires opt-in consent before sharing health data and a separate signed authorisation before selling it.

Illinois BIPA — The Biometric Information Privacy Act has been used to sue fitness companies for collecting biometric data without consent. Over 107 BIPA class-action lawsuits were filed in 2025 alone, with fines of up to $5,000 per intentional violation.

WHOOP, Fitbit, and Oura have all faced legal action under these frameworks. But there is still no comprehensive federal law protecting consumer health data from fitness trackers in the United States.

Until that changes, your best protection is choosing tools that don't collect your data in the first place.

How to Protect Your Health Data

If you use a fitness tracker, here's what you can do right now:

  1. Check the privacy label — Before downloading any health app, read the App Store privacy label. Look for "Data Not Collected" or "Data Not Linked to You." If the app lists "Data Used to Track You," think twice.

  2. Audit your permissions — Go to Settings → Privacy → Health on your iPhone. See which apps have access to your health data and revoke access for any you no longer use.

  3. Disable location for workouts — If you don't need GPS tracking, turn it off. Location data is the most sensitive type of fitness data (ask the French Navy).

  4. Use on-device tools — Choose apps that process data locally rather than uploading it to cloud servers. Apple Health's architecture is the gold standard.

  5. Read the terms — Specifically look for sections on "data sharing," "third-party partners," and "data retention." If a company reserves the right to share your health data with unnamed partners, that's a red flag.

  6. Consider what you're trading — A "free" fitness app that monetises your health data isn't actually free. You're paying with the most intimate data you generate.

FAQ

Is fitness tracker data protected by HIPAA?

No, in most cases. HIPAA only covers healthcare providers, health plans, and their business associates. Consumer fitness companies like Fitbit, Garmin, Oura, and WHOOP are not HIPAA-covered entities. Your fitness tracker data has fewer legal protections than your medical records.

Can insurance companies use my fitness tracker data?

Yes. Some insurers already offer programs where wearable data influences premiums — usually framed as discounts for healthy behaviour. There's currently no federal law preventing insurers from using fitness data obtained outside of HIPAA to adjust rates.

What happens to my health data if a fitness company gets acquired?

Your data typically transfers to the new owner under the existing terms of service. Google's acquisition of Fitbit, for example, gave Google access to 28 million users' health data. While companies often make privacy pledges during acquisitions, these pledges are generally not legally binding long-term.

Which fitness trackers keep data on-device?

Apple Health processes all health data on-device and uses end-to-end encryption for iCloud sync. Livity follows the same approach — all health metrics are calculated on your iPhone using Apple Health data, and nothing is uploaded to external servers. Most other major platforms (Fitbit, Garmin Connect, WHOOP, Oura) rely on cloud processing.

Can fitness tracker data be used in court?

Yes. Fitness tracker data has been used as evidence in criminal cases, insurance disputes, and personal injury claims. In 2023, a murder suspect's Fitbit data was used to establish their location and activity at the time of the crime. Data stored on company servers can be obtained through subpoenas.

Start Tracking Without Giving Up Your Privacy

Your health data is some of the most personal information you generate. Where it's stored and who can access it matters.

Livity tracks your sleep, HRV, recovery, stress, and fitness age entirely on your device — no cloud servers, no data brokers, no third-party sharing. Your health data stays on your iPhone where it belongs. Free to try on the App Store.

Start Your Wellness Journey Today
Live Your Best Life

Join thousands of users who are already tracking their health with Livity.

Download Now
Secure & Private
Back to blog