When you use a wearable device to track your health or fitness, do you control your sensitive information? Or is the technology actually using you?

Despite being a Certified Information Privacy Professional, I wear two health trackers almost all the time: an Oura Ring and Garmin watch. Both are considered Internet of Things (IoT) devices, or anything with an internet connection, apart from traditional gadgets like computers and phones. In addition to wearables, IoT devices span from washing machines and fridges to military surveillance robots. In 2020, 445 million wearable devices were shipped to consumers, and in 2021, the wearables industry reported a revenue of $41.94 billion. Researchers speculate that 41.6 billion IoT devices will exist by 2025, showing a growing global appetite for connectivity.

Fitness wearables come in a variety of forms: from stylish jewelry like smartwatches, smart rings and smart bands, to high-tech continuous glucose monitors. Some folks, like me, wear one or more devices for “bio-hacking“ or “DIY biology,” which is the process of monitoring one’s input (e.g., kcal energy, sleep and meditation) and corresponding output (e.g., well-being, steps, and variable heart rate) to improve sleep, health, lifespan and/or athletic performance. Others wear them to record workouts, play music or simply tell the time.

But what data exactly are these IoT wearables tracking and what are they doing with it?

A review of Oura‘s Terms of Service, Health Privacy Policy and Teams Privacy Policy shows that:

• Oura collects sensitive health information, including heart rate, body temperature, BMI, women’s reproductive health information, fitness activities and user “tags” (e.g., whether the user wore a sleep mask, drank caffeine or cared for a baby late at night).
• Oura collects personally identifiable information, including name, age, contact and demographic information.
• Oura stores financial information, such as my credit card number.
• Oura uses GPS when enabled to track precise geolocation data during a workout, collecting and storing it, including my home address and where I typically run.
• Oura can share data with health care providers, but only if I opt in.
• Oura uses cookies to track my engagement with its website and others to analyze my behavior and target me with specific advertising.
• Oura uses the health data it collects to provide its services, as well as research and development and third-party integrations.

Altogether, Oura collects a lot of different data beyond the scope of my fitness activity, increasing my risk during a data breach.

Despite knowing that my data is being tracked, collected and used for purposes beyond optimizing my health and athletic performance, I still wear my health trackers and plan to continue. I appreciate the convenience and health insights, and I am willing to accept the tradeoff. However, I limit online tracking by disabling cookies, and I don’t share my data with third-party vendors.

Here are some other ways we can keep our devices safe and protect ourselves against malicious actors.

Software and firmware updates: Software and firmware updates often fix vulnerabilities identified by device engineers. If an update is being pushed to your device, there’s most likely a good reason for it. Don’t silence or delay the updates too long because they can leave your device vulnerable to bad actors or viruses.

Limit connectivity: In 2019, an ethical hacker identified IT security vulnerabilities in the expansive connectivity of a continuous glucose monitor (GCM), alerting regulators that malicious hackers could connect wirelessly to a CGM device and modify the delivery of insulin, with catastrophic health impacts. Always review your device’s settings; disable device wireless connectivity, including Bluetooth, when not in use; and limit access to the minimum needed for use.

Vendors are not subject to HIPAA: Wearable fitness technology vendors are not considered “covered entities” under the Health Information Portability and Accessibility Act (HIPAA), which means they can sell your data. Fitbit, which was bought by Google in 2019, is an interesting example: Data collected by Fitbit can be used by Google to deliver targeted advertisements. These ads might consider any information shared with Fitbit: fitness goals, calorie tracking, sleep quality or any other metric inferred through use. You can usually opt out of this type of use by reading a company’s terms of service and privacy policies.

Know before you buy: Trusting a more expensive brand name is often better than saving money with an unknown brand when it comes to information security. All companies are susceptible to cyber incidents, potentially making your sensitive data vulnerable to misuse. Read consumer reviews, security information and a company’s privacy policy to understand the measures in place to protect your sensitive information.

Need help?

Concerned about a University of Utah or University of Utah Health data security incident? Contact the campus IT Help Desk at 801-581-4000, University of Utah Health ITS Service Desk at 801-587-6000, or the Information Security Office’s Security Operations Center at [email protected] for immediate assistance.

Did you receive a malicious or suspicious email? Use the Phish Alert button in UMail or forward the email as an attachment to [email protected].

Want to learn more? Reach out to the offices below.

• Office of General Counsel: Contact [email protected] if you are evaluating a service for your organization and are provided with a contract for goods or services.
• Privacy Office: Contact [email protected] if a third-party vendor will be accessing, viewing, storing, or using university-protected health information (PHI). If the terms of service or contract suggest data collection, a business associate agreement (BAA) or other data use agreement (DUA) may be legally necessary. Contact [email protected] with general inquiries about information privacy and your rights and responsibilities.
• IT Governance, Risk, & Compliance: Contact [email protected] if you are assessing a software or hardware service for your organization. The U’s Information Security Office must evaluate the security of new software or hardware.
• PIVOT: Contact PIVOT Center – Partners for Innovation, Ventures, Outreach & Technology (utah.edu) if you have an idea for innovating systems using apps or software.

Have an information privacy topic you’d like to know more about? Contact Bebe Vanek, information privacy administrator for University of Utah Health Compliance Services, at [email protected].