Your Fitness Tracker Knows Your Heart Rate, Sleep Schedule, and Location, Who Else Does?

580 Million Devices Tracking Your Body

In 2024, over 580 million wearable devices shipped globally. [1] They track your heart rate, sleep patterns, menstrual cycles, stress levels, and every step you take.

That data exposed secret military bases in Afghanistan and Syria. [2] It can be sold to insurance companies to adjust your premiums. [3] And HIPAA, the health privacy law, doesn't protect most of it. [4]

Your fitness tracker monitors your body 24/7. But the law barely monitors what happens to that data.

The Strava Disaster: When Jogging Exposed Secret Bases

In January 2018, a 20-year-old Australian student named Nathan Ruser was browsing Strava's global "heatmap", a visualization of 13 trillion GPS data points from the fitness app's users. He noticed something odd: bright lines in Syria, Afghanistan, and other conflict zones. [2]

Those lines were US military personnel jogging around secret bases.

What Got Exposed

Strava's heatmap revealed or confirmed: [5]

  • US military bases in Afghanistan, Syria, and Djibouti
  • CIA facilities and suspected black sites
  • Patrol routes around sensitive installations
  • Operating patterns of military personnel
  • Bases belonging to the UK, France, Turkey, Russia, and other nations

In remote areas where locals don't use fitness apps, American soldiers' jogging routes lit up like beacons on the map. [6]

It Happened Again in 2024

The problem wasn't fixed. In October 2024, French newspaper Le Monde published "#StravaLeaks", showing that: [7]

  • President Macron's security detail posted runs near hotels before his visits
  • Secret Service agents protecting US presidents exposed operational routines
  • Israeli soldiers near Gaza mapped sensitive military positions
  • Security personnel for Biden, Harris, Trump, Putin, and Macron all had their locations compromised

Six years after the original incident, the underlying problem remains unsolved. People who should know better keep sharing their location through fitness apps.

The $60 Billion Health Data Market

The global fitness tracker market hit $60.9 billion in 2024. [1] By 2030, it's projected to reach $162.8 billion. That's not just hardware sales, it's the value of the data being collected.

Scale of Collection

  • 580M+ wearable devices shipped (2024) [1]
  • 454M smartwatch users globally [8]
  • 68M users in the US alone [8]
  • 45% of Americans use fitness trackers [9]

What's Tracked

  • Heart rate (24/7)
  • Sleep patterns and quality
  • Steps and exercise
  • GPS location
  • Menstrual cycles
  • Stress and HRV
  • Blood oxygen (SpO2)

Privacy Risk Scores

  • Highest risk: Xiaomi, Wyze, Huawei [10]
  • Lowest risk: Google, Apple, Polar [10]
  • 76% lack transparency reporting [10]
  • 65% have no vulnerability disclosure [10]

Google Bought Fitbit, And Your Data

In January 2021, Google completed its $2.1 billion acquisition of Fitbit. [11] Privacy advocates immediately raised concerns.

What Google Gets

Fitbit had over 29 million active users when Google bought it. Each user brings: [12]

  • Years of historical health data
  • Sleep pattern records
  • Heart rate history
  • Exercise habits
  • Location data from workouts
  • Weight and dietary logs

Combined with Google's existing data, search history, Gmail content, YouTube viewing, Android phone location, Chrome browsing, this creates what European economists called "unique opportunities for discrimination and exploitation of consumers." [13]

Google's Promises

Google claims: [14]

  • Fitbit health data won't be used for Google ads
  • They never sell personal information
  • The data will be kept separate from advertising systems

Privacy advocate Paul Bischoff wasn't convinced: "Just because the companies say user data will not be used for advertising now does not mean that won't change." [13]

The Forced Migration

In 2024-2025, Google began requiring Fitbit users to migrate their accounts to Google. [15] When users selected "maybe later," the app recycled them back to the beginning. There was no way to proceed without handing their data to Google.

All new Fitbit devices now require a Google account to set up.

The HIPAA Loophole

Here's the uncomfortable truth: HIPAA doesn't protect your fitness tracker data. [4]

What HIPAA Actually Covers

HIPAA (the Health Insurance Portability and Accountability Act) only protects "Protected Health Information" (PHI) handled by "covered entities", healthcare providers, health plans, and healthcare clearinghouses.

Consumer wearables don't qualify. Your Fitbit isn't a healthcare provider. Your Apple Watch isn't bound by HIPAA. [16]

What This Means

Your fitness tracker data can be: [3]

  • Sold to data brokers without your specific consent
  • Shared with insurance companies to adjust your premiums
  • Accessed by employers through corporate wellness programs
  • Used by law enforcement with fewer restrictions than medical records
  • Bought by marketers for targeted advertising

Insurance Companies Want Your Data

Health and life insurers are increasingly interested in wearable data. [17]

How It Works

Some insurance programs already offer discounts for sharing fitness tracker data. The pitch: prove you're healthy, get lower rates.

The flip side: if your fitness data reveals a lifestyle more sedentary than you reported to your doctor, insurers could increase your premiums. [3]

What Insurers Can Infer

  • Activity levels: Do you actually exercise?
  • Sleep quality: Are you getting enough rest?
  • Heart rate patterns: Signs of stress or heart conditions
  • Location data: Do you live in a "high-risk" area?
  • Behavioral patterns: Consistent routines = lower risk

42% of large companies now include fitness trackers in employee benefit programs. [18] That's a lot of health data flowing to corporate wellness vendors, and potentially to insurers.

Reproductive Health Data After Roe

After the Supreme Court overturned Roe v. Wade in 2022, period tracking apps became a new privacy frontier.

The Fear

Menstrual cycle data could theoretically be used to identify pregnancies, and pregnancy terminations. Law enforcement in states with abortion restrictions could potentially subpoena this data.

Company Responses

Oura Ring issued a statement: "Oura will oppose any request to provide legal authorities with access to user data for surveillance or prosecution purposes, and will notify users if we receive any such request." [19]

Other companies have been less forthcoming. If you're tracking cycles on a fitness app, know that the data exists and could be requested.

How Different Trackers Handle Privacy

Better Privacy Practices

Apple Watch

  • Stores sensitive health data encrypted on device
  • End-to-end encryption available for iCloud sync
  • Business model isn't advertising-based
  • Strong public privacy stance

Oura Ring

  • Subject to EU GDPR (Finland-based)
  • Doesn't sell data to advertisers
  • Offers "privacy mode" (airplane mode on device)
  • Published post-Roe statement opposing law enforcement data access [19]

Garmin

  • Business model based on device sales, not data
  • Relatively transparent privacy policies
  • No red flags in Mozilla's review

Higher Privacy Concerns

Fitbit (Google)

  • Now owned by Google (advertising company)
  • Forced account migration to Google
  • Google Fit APIs shutting down June 2025
  • Long-term data use uncertain despite promises

Xiaomi/Huawei

  • Highest cumulative privacy risk scores [10]
  • Subject to Chinese data laws
  • Less transparent data practices

Strava

  • Default settings share activity publicly
  • Heatmap feature exposed military bases
  • Location data visible to anyone unless locked down

The Security Breach Epidemic

Health-related cybersecurity breaches increased over 4,000% between 2009 and 2023. [20] The body-data market is expected to exceed $500 billion by 2030.

When fitness trackers get breached, attackers get:

  • Years of heart rate and health data
  • Sleep pattern records
  • GPS location history
  • Email addresses and passwords
  • Potentially sensitive health conditions

Unlike a credit card, you can't change your resting heart rate after a breach.

How to Protect Yourself

Before You Buy

  • Research privacy policies: Mozilla's "Privacy Not Included" rates wearables
  • Prefer on-device processing: Apple Watch keeps more data local
  • Avoid advertising-based companies: If the product is free, you're the product
  • Consider GDPR-based companies: EU privacy laws are stronger (Oura, Polar)

Privacy Settings to Change

Strava

  1. Go to Settings → Privacy Controls
  2. Set profile to "Followers" or "Only You" (not "Everyone")
  3. Enable "Hide Start/End Points" (adds privacy zones around your home)
  4. Disable "Enhanced Activity Heatmap" contributions
  5. Review past activities and make sensitive ones private

Fitbit

  1. Go to Settings → Privacy
  2. Set profile visibility to "Private"
  3. Disable "Share for Research" if not comfortable
  4. Review which third-party apps have access
  5. Regularly delete old data you don't need

Apple Watch

  1. Enable end-to-end encryption for Health data in iCloud
  2. Review which apps have Health data access
  3. Disable location for apps that don't need it
  4. Consider using "Private" workout types

General Best Practices

  • Disable GPS for workouts near home: Your neighborhood running route reveals where you live
  • Don't sync with every app: Each connection is a new data risk
  • Review third-party app connections: Revoke access you don't use
  • Use device PIN/lock: Protects data if device is lost
  • Consider what you really need tracked: Do you need 24/7 heart monitoring, or occasional workouts?

For Sensitive Situations

  • Reproductive health tracking: Consider apps with strong legal commitments or local-only storage
  • Military/security personnel: Don't use social fitness features period
  • Activists/journalists: Your movement patterns are valuable intelligence, protect them
  • Domestic abuse situations: Fitness trackers can be used to track your location

What Needs to Change

A 2024 report titled "From Skin to Screen: Bodily Integrity in the Digital Age" recommends: [20]

  • Expand health privacy laws to cover data from wearables and fitness apps
  • Clarify data protection laws to encompass all forms of bodily data
  • Regulate data brokers that trade in health information
  • Require explicit consent for any health data sharing

Until those changes happen, you're largely on your own.

The Bottom Line

580 million wearables shipped in 2024. They track your heart, sleep, location, and activity. HIPAA doesn't protect most of this data.

Strava exposed military bases and presidential security details. Google owns Fitbit and its 29 million users' health histories. Insurance companies can buy fitness data to adjust your premiums. And period tracking apps could theoretically be subpoenaed in abortion investigations.

Some trackers handle privacy better than others. Apple, Oura, and Garmin have stronger protections. Xiaomi and Huawei have weaker ones. Fitbit's future under Google remains uncertain.

To protect yourself:

  1. Choose trackers with strong privacy practices
  2. Lock down sharing settings (especially on Strava)
  3. Disable GPS near your home
  4. Limit third-party app connections
  5. Consider what data you really need collected

Your body's data is valuable, to you, to companies, to insurers, and potentially to law enforcement. The tracker on your wrist generates it 24/7. Decide carefully who else gets to see it.

References

  1. Market.us - Fitness Tracker Statistics and Facts (2025)
  2. Newsweek - Fitness App Strava Reveals Location of Secret Military Bases Around the World (January 2018)
  3. GovTech - Could Your Fitbit Data Be Used to Deny You Health Insurance?
  4. MDPI Cryptography - Wearable Health Monitoring Devices and Privacy Regulations in the U.S.
  5. Mapulus - When Fitness Trackers Exposed Military Secrets: The Strava Heatmap Story
  6. Alphr - Strava is a military security nightmare as US base locations are leaked
  7. GIJN - Running Into Open Secrets: How to Investigate Using the Strava Fitness App (2024)
  8. DemandSage - Smartwatch Statistics (2025) - Users & Market Share
  9. Coolest Gadgets - Fitness Trackers Statistics By Market Size, Types, Usage
  10. Nature Digital Medicine - Privacy in consumer wearable technologies: a living systematic analysis
  11. PBS - Google bought Fitbit. What does that mean for your data privacy?
  12. Spirion - Is Google's Purchase of Fitbit a Data Privacy Risk?
  13. TechRadar - Where is all your health data going? The Google and Fitbit scandal explained
  14. Google/Fitbit - Our Continued Commitment To Data Privacy and Security
  15. Fitbit Community - My thoughts about the Fitbit app and Google migration
  16. GovTech - Health Device Data Is Protected, but Also Used, Shared
  17. NC State Data Column - Fitness Trackers' Ethical Use of Data (January 2024)
  18. Kaspersky - Fitness Tracker Privacy Risks
  19. Mozilla Foundation - Oura Ring Privacy & Security Guide
  20. IS Partners - Data Privacy at Risk with Health and Wellness Apps