A woman jogs on a treadmill in a modern lab, surrounded by colorful floating biometric data icons (heart rate, steps, ECG), as three men in suits observe her from behind a glass wall labeled "Private Health Data Monetization Lab"—emphasizing the hidden risks of health apps that collect personal health data without users’ full awareness.

Fitness Apps: Your Health Data for Sale

Image generated by ChatGPT and edited in Affinity Photo

Your morning jog just generated dozens of data points about your location, heart rate, sleep patterns, and daily routines. That fitness app tracking your progress? It’s also building a detailed profile of your most intimate health information—and 80% of top fitness apps share user data with third parties.

As I research the intersection of technology and personal security for my upcoming cybersecurity book, one pattern keeps emerging: the tools we trust to improve our health often expose us to new digital vulnerabilities. With about 40% of U.S. adults now using health apps and 35% using fitness wearables, understanding these risks has never been more critical.

The Hidden Cost of Free Fitness Tracking

That ‘free’ calorie counting app isn’t actually free—you’re paying with your data. Popular fitness apps collect an average of 12 different types of data, including sensitive health information, precise location data, and personal identifiers. This creates a digital fingerprint far more detailed than most users realize.

The scope of data collection is staggering. Privacy International estimates that the average weight loss app asks users at least 50 questions related to their mental and physical health as well as their medical profile. Even more concerning, only about one-third of health apps implement basic encryption measures, leaving your sensitive information vulnerable.

Five Major Threats to Your Health Data

Data Sales to Third Parties Your workout patterns, sleep cycles, and health metrics are valuable commodities. Fitness apps often partner with advertisers, using your data to show you relevant ads, while some fitness apps partner with research firms or health organizations to share anonymized data for studies. However, ‘anonymized’ data can often be re-identified when combined with other datasets.

Hacking and Breaches The fitness app industry has a troubling track record of security failures. MyFitnessPal experienced a significant data breach in February 2018, affecting approximately 143 million user accounts, exposing usernames, email addresses, and hashed passwords. More recently, an unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users’ data online.

Location Tracking and Stalking Risks GPS-enabled fitness apps create detailed maps of your daily movements. The Stravaleaks case published by Le Monde on October 27, 2024, demonstrates how the use of the Strava app enabled journalists to predict the future movements and meeting locations of political figures such as Presidents Emmanuel Macron, Joe Biden, and Vladimir Putin. If investigative journalists can track world leaders, what does this mean for ordinary users facing potential stalkers or burglars?

Data Sharing with Employers or Insurers The personal information could be shared with or sold to third parties such as data brokers or law enforcement. Additionally, unauthorized sharing of personal health data collected by the apps with insurance companies can lead to increased premiums or denial of coverage. Some wellness programs even require employees to share fitness data, blurring the line between voluntary and coercive monitoring.

Long-Term Data Storage Without User Control: Unlike medical records protected by HIPAA, the information that fitness trackers collect isn’t considered “health information” under the federal HIPAA standard or state laws, such as California’s Confidentiality of Medical Information Act. This regulatory gap means companies can retain your data indefinitely, even after you stop using their services.

What You Can Control (And What You Can’t)

Understanding your leverage is the first step toward better protection. Here’s what the current landscape looks like:

What You CAN Control:

  • App permissions and privacy settings
  • Which apps you choose to install and use
  • How much personal information you share during setup
  • Whether to enable location tracking and data sharing features
  • Your decision to delete accounts and request data removal

What You CAN’T Control:

  • How companies actually use your data behind the scenes
  • Third-party partnerships you’re unaware of
  • Data retention policies after account deletion
  • Security vulnerabilities in app infrastructure
  • Government data requests to fitness companies

Two Immediate Actions You Can Take Today

Audit Your Current Apps Open your phone’s settings and review which health and fitness apps have access to your location, camera, contacts, and other sensitive data. Review the provider’s terms of service before purchasing a fitness tracker and ensure there’s an option to opt out of data sharing if desired. Disable any permissions that aren’t essential for the app’s core function.

Choose Privacy-Focused Alternatives When selecting new fitness apps, prioritize those with strong privacy policies and minimal data collection. Look for apps that store data locally on your device rather than uploading everything to cloud servers. Consider using your phone’s built-in health tracking features, which often have more robust privacy protections than third-party apps.

Fitness Apps Will Continue to Bank on Your Personal Data

The fitness app industry is expected to continue expanding—the global fitness app market size was estimated at USD $10.59 billion in 2024 and is projected to grow at a CAGR of 13.88% from 2025 to 2030. But growth shouldn’t come at the expense of user privacy and security.

Your health data reveals your most intimate patterns, vulnerabilities, and behaviors. Before trusting any app with this information, ask yourself: would you feel comfortable sharing this same data with strangers on the street? If not, think twice before clicking ‘accept’ on that privacy policy.

What’s Your Biggest Concern About Health App Privacy?

Have you discovered fitness apps collecting more data than expected? Do you think your fitness data has been sold?  Are you receiving significant health-related advertising targeted to you? Share your experiences in the comments below—your insights could help other readers protect their digital health security.

Stay safe out there.
The Sage

Website Power Tip: Find Cybersecurity Answers in Seconds

Need specific cybersecurity guidance? Use the Search Box on the top right corner of the Adventures of a Sage home page to quickly discover all those cybersecurity tips you always wanted to know about (but were afraid to ask). It’s a treasure trove of jargon-free advice!

The Sage’s Invitation

Ready to strengthen your digital defenses?  Join my newsletter for more practical cybersecurity insights as I write my book on personal digital security. Share your thoughts about cyber challenges you foresee in 2025 below. Together, we can navigate this landscape with wisdom and care to block bad actors. Sign up for email alerts using the form below.

PS—If you don’t see the signup form below, your browser’s security settings or a plugin may be blocking it. Here’s an alternate form to subscribe.