Protecting Health Data & Reputation in a Digital Age
Learn how gyms and wellness brands can prepare for cyber threats with proactive planning and communication strategies
Meghan Tisinger is managing director of Leidar, an international communications firm. She leads the Health and Wellness practice and is a sought-after advisor.
Health data has emerged as one of the most vital forms of personal information, often described as “currency.” Fitness-related data provides insights into personal health, habits, and behaviors, making it a lucrative asset for companies—and a prime target for cybercriminals seeking to exploit its sensitivity and financial worth.
This emerging threat is particularly dangerous for gyms, fitness organizations and wellness platforms as they digitize their operations and integrate wearable technology, mobile apps and online memberships into the user experience. As these businesses become custodians of sensitive health data, they are increasingly attractive targets for cyberattacks.
As John Chambers, CEO of Cisco Systems said, ‘There are only two types of organizations: Those that have been hacked and those that don’t know it yet!’”
Even household brands like Garmin, MyFitnessPal and Fitbit have fallen victim to cyberattacks, underscoring the scale of the threat. For example, in 2018, the MyFitnessPal app suffered a breach exposing 150 million user accounts, shaking consumer trust.
Smaller organizations are not immune. Independent gyms, for instance, are frequent ransomware victims because they often lack the resources or expertise to implement robust cybersecurity measures. In one case, a boutique gym in Colorado faced a ransomware attack that locked them out of their booking systems, halting operations for several days and costing them thousands in lost revenue.
The risk is poised to grow as the wellness industry—currently valued at $5.86 trillion—is projected to expand to approximately $9.25 trillion by 2033. For wellness organizations handling customer data, preparing for a cyber incident requires more than just technical safeguards. A strategic communication plan is vital to protect their reputation and uphold customer trust in the aftermath of a breach.
Proactive Measures for Cybersecurity Preparedness
Building a Team in Peacetime
One of the most crucial steps wellness organizations can take is solidifying their team before a crisis strikes. Many organizations with cybersecurity insurance have access to external law firms, forensic experts, and communications specialists, but valuable time is lost if these relationships aren’t established beforehand.
Take the example of a fitness studio chain in the Midwest that proactively partnered with a cybersecurity firm and PR specialists. When they experienced a breach, they were able to activate their team immediately, minimizing downtime and safeguarding their reputation. By scheduling introductory calls and establishing clear response protocols in advance, organizations can avoid scrambling to assemble a team during an incident.
Constructing a Mitigation Plan
Peacetime should also be used to identify worst-case scenarios and construct a mitigation plan. Start by determining which data would be most damaging if stolen. For instance, a gym’s membership database that includes health assessments and payment information would likely require the highest priority response.
Critical stakeholders, such as franchise owners or brand ambassadors, must also be included in these plans. Pre-writing communication materials—such as statements, FAQs, and talking points—allows organizations to respond quickly and confidently. These materials should be vetted by legal teams to ensure compliance and avoid potential litigation risks.
The late Richard Levick, who pioneered the fields of crisis communications and CEO of Levick Strategic Communications once said, “Use peacetime wisely: plan now for what to say and do in a crisis.”
Training Spokespeople and Managing Media
Media training for designated spokespeople ensures that they are equipped to handle the pressure of a crisis. For example, after the Garmin ransomware attack, the company’s swift and transparent public response demonstrated the importance of having trained personnel ready to address concerns.
Leveraging Social Media and Digital Platforms
During a cyber incident, social media and website updates often serve as the first point of contact for customers. Wellness organizations should ensure only trusted team members have account access and that scheduled posts are reviewed regularly to prevent inadvertent reputational damage.
For example, after Peloton faced criticism over data privacy concerns, the company used its social channels effectively to issue updates, clarify misunderstandings, and rebuild trust.
The Importance of Preparation
As cyber threats continue to grow, wellness organizations must prepare for the inevitable. Even without full-time cyber and communications specialists, external teams can provide critical guidance to protect customer data and uphold reputations. With proactive planning, fitness and health companies can emerge from cyber incidents with their credibility intact and their customer trust preserved.
“In today’s digital age, being unprepared for a cyber crisis is like leaving your front door wide open in a storm—it’s not a matter of if you’ll face damage, but when and how severe it will be. A lack of preparedness can lead to operational disruption, financial loss, and irreparable harm to your organization’s reputation. Proactive planning and response strategies are no longer optional; they’re essential for survival,” said Rolf Olsen, CEO of Leidar.