In late June, Robert F. Kennedy Jr. told Congress that he wants all Americans wearing health-tracking devices within the next four years. Wearables, the Health and Human Services secretary said, are “key” to his Make America Healthy Again agenda. “It’s a way people can take control of their own health. They can take responsibility,” he told lawmakers. “They can see, as you know, what food is doing to their glucose levels, their heart rates, and a number of other metrics as they eat it, and they can begin to make good judgments about their diet, about their physical activity, about the way that they live their lives.” The agency is now preparing to launch a public-health campaign encouraging people to use these devices.
Of course, the idea that the Trump administration is pushing for more people to record their own health information raises some eyebrows. What does this mean for consumers’ private data? Even MAHA allies were spooked. “Wearables are spy devices,” one posted after Kennedy’s statement. After all, earlier this year Kennedy announced that HHS was set to create a national autism database using Americans’ insurance claims, electronic medical records, and data from wearables.
So can the government access the private health data collected by these devices? How much risk are we exposed to, really? I spoke with Alex Hamerstone, a cybersecurity expert at the consulting firm TrustedSec, and Matthew Guariglia, a senior policy analyst at the nonprofit Electronic Frontier Foundation, to figure it out.
First, what exactly are wearables?
These are health-tracking devices that collect biometric data from you. Some common examples in the market are Oura rings, Fitbits, and Apple watches. “They collect things like your heart rate based on feeling your heart beating in your wrist or your finger,” Guariglia says. “They track your sleep. They can track about anything your body does and emit evidence of how it’s doing.”
Wearables have been around for a long time — remember pedometers? — but in recent years the market has exploded with many other options, says Hamerstone. For example, devices that were once typically prescribed by physicians, like wearables that monitor blood sugar, are now more widely available. “These consumer-level wearables are things that we think about when it comes to people using tracking and managing fitness. There’s also other products in that ecosystem,” he adds. “For example, my scale. I don’t wear it, but it communicates with my phone, and then the app for my scale shares that information with Apple Health.”
What are some of the general privacy issues around these devices?
The main concern is the sheer amount of data that is out there from each of us, even outside of what health-tracking devices collect, says Guariglia. Combining health information, like your menstrual cycle or workout metrics, with other data collected by your electronic devices, like your phone’s location services, can help give someone a pretty comprehensive picture of your habits and lifestyle. “Whenever you have a lot of very personal data like that, it usually ends up becoming a target for someone, whether that is hackers, bad actors who want to compromise your device, or even law enforcement,” he says.
If someone were to steal your data, there’s very little recourse as a consumer. The data can also be sold to a third party, such as researchers, advertisers, and other companies, without your knowledge or consent — or you may even opt in to sharing your information in one specific way with the company that created a device, only for the parameters to change without your input later, says Hamerstone. “Look at the 23andMe thing: People chose to share their data a certain way, and then after something like a bankruptcy your data then may be used in a way you didn’t agree to,” he says. There are very few protections for the user in that scenario as well.
Can the government get its hands on this information? How worried should I be?
RFK’s announcement certainly raised some red flags for Guariglia. We don’t yet know whether the Trump administration wants to simply encourage Americans to use wearables or if federal agencies would also access the data these devices collect.
It wouldn’t be hard for a government or law-enforcement agency to obtain your personal data. “We have this legal precedent in the United States where if you give your data to a third party, what they do with it is up to them because you have theoretically already relinquished control over that data when you gave it to a third party,” says Guariglia. “In my opinion, this is a very backwards and wrong way of doing data protection. But it means that police can simply send an email to a company saying that they want your data and really there’s no obligation that a company asks for a warrant signed by a judge” before complying. And while HIPAA protects your private health information when it’s used by your medical provider or insurance company, the law does not apply to the data collected by health-tracking devices.
The government, however, already has access to a treasure trove of Americans’ health data, says Hamerstone. “If you’re on Medicare, Medicaid, or any other type of federal program, the government already has a lot of that information,” says Hamerstone. “The government also collects statistics on all kinds of things, though most of it is depersonalized.”
And a lot of that information is currently being consolidated by the Trump administration, says Guariglia. “So the information you give one agency is likely to be used by others now,” he says. Another concern that HHS has yet to clarify is what may happen with consumers’ private data if the government actually purchased these wearables for people. “If HHS is using federal grant money to pay for your device, and there’s a chance they might get access to the data from your device because they have supplemented the money to pay for it, then I would worry where that data is also being used,” he adds.
There is also a less nefarious explanation for HHS’s campaign: Some members of the Trump administration could profit handsomely from more consumers purchasing wearables. Take Kennedy’s MAHA ally Calley Means, a lobbyist who’s been hired as a White House adviser. His company helps people get the cost of fitness technology, including health-tracking devices, reimbursed tax-free through the use of HSA and FSA accounts. His sister Casey Means, who has been nominated to be surgeon general, is also the co-founder of a company that sells continuous glucose monitors — the same type of wearable Kennedy is trying to promote.
How can I keep my data safe, then?
Absent taking extreme measures to drop out of society and live without tech? You’re unlikely to eliminate all risk, but there are some steps you can take to better protect your private health information. Hamerstone says you can consider a “dumb wearable,” or a device that doesn’t connect to the internet and stores data in itself rather than in a server. Another option is to use an older model of a wearable rather than the latest, flashiest one. “The amount of data my current Apple Watch collects versus the first one I had is much different,” he says.
You might also consider devices that offer end-to-end encryption either by default or with the option to turn it on, says Guariglia. If your device provides the option to download other apps, he also recommends figuring out what those additional data-retention policies are.
One of the simplest ways to lower your exposure, though, is to take your wearable off when you don’t need it. “If you are wearing this device because you’re particularly interested in tracking your runs or you’re really interested in seeing how well you’re sleeping at night, consider not having it on all the time,” he says. “Just really reduce the amount of data about you that these devices collect.”
The Electronic Frontier Foundation also offers a surveillance self-defense guide that could be helpful, says Guariglia. “All these devices have their own risks,” he says. “Part of the work has to do with your threat model of what data you’re trying to protect from whom.”