Fitbit Privacy or Lack Thereof – Exposing Sexual Activity of Its Users

Written by:

Well, privacy rears its ugly head in healthcare again. I don’t want to treat a person’s privacy lightly, but I must admit that I kind of had to laugh at the breach I’m about to tell you about. I think you’ll see why.

I first read about this privacy breach on this Techcrunch article (They originally found it on nextWeb). Here’s a quote from the Techcrunch article:

Yikes. Users of fitness and calorie tracker Fitbit may need to be more careful when creating a profile on the site. The sexual activity of many of the users of the company’s tracker and online platform can be found in Google Search results, meaning that these users’ profiles are public and searchable.

I’ve been a big fan of Fitbit and other devices like that which are trying to track a person’s health and fitness. I think there’s a real market for these devices, but this is a pretty ugly misstep for Fitbit. Although, a search for sexual activity and FitBit isn’t returning results any more. Here’s the Fitbit blog post which details the steps they’ve taken to secure their users profiles. Seems like a reasonable and a smart response to the privacy issue.

Before I go any farther, we should be clear that this isn’t a HIPAA violation. The patient put their information online and agreed to have that information out there. We could argue how much they really agreed to have their profile public, but I’m quite sure that Fitbit would be fine in a HIPAA lawsuit. However, that doesn’t mean they’re not taking the hit for poor decisions.

What can future healthcare app and device companies learn from the Privacy issues at Fitbit?

1. Default healthcare profiles to private. Allow the user to opt in to make it public. Some might want it public, but no company should assume it should be public. This isn’t Facebook.

2. Consider more granular privacy controls. I may want part of my profile public, but part private (ie. sexual activity in a fitness application).

3. Be aware of what you allow search engines to index. There’s a whole category of hackers called Google Hackers. They use Google to find sensitive information like the story above. It’s amazing the power of Google hacking.

Some suggestions to e-patients that put their health data online:

1. Be careful about what information you’re putting online.

2. Check out where the information you put online will be available. Is it private? Is it public? Is it partially public? Can search engines see it?

There’s little doubt that more and more healthcare information is going to be put online by patients. We’re going to see more and more privacy issues like the one mentioned above. This incident will do little to deter this trend. However, hopefully it can serve as a learning experience for Fitbit and other healthcare companies that are entering this new world of online health information.