Protect Personal Information From Identity Theft
In the digital-enabled world of fitness, risk management and safety protocols extend to all the data on your phones and computers.

Over the past few years, a significant number of fitness professionals have made a shift from old-school paperwork to digital information storage systems. Online and offline, through smartphones and apps, fitness leaders maintain a database of their clients’ names, addresses, schedules, credit cards, bank accounts and sometimes even health-related information. Client data is often mingled with personal information on the same mobile device or computer. That makes it easier for cybercriminals to grab your personal information—and that of your clients—in one fell swoop to commit identity theft.
Identity theft—stealing personal information to impersonate someone for financial gain—impacted 42 million U.S. consumers in 2021 (Buzzard 2022). In fact, it tops the list of scams reported to the U.S. Federal Trade Commission. You can avoid becoming one of the victims, or enabling a client to be victimized, by making cybersecurity a routine part of your work.
Personal Information Is Everywhere!
Your name, driver’s license number, bank account numbers, credit and debit card numbers, Social Security number, home address, and health information are classified as personal identifiable information (PII), also called sensitive information (DOL n.d.).
A great deal of personal information is already available online or stored in the data centers of companies. Many fitness professionals are using third-party business apps to manage client schedules and payments. Health and fitness apps are on smartphones and smartwatches. Banking, shopping and booking tickets online all use technology that can expose sensitive information to cybercriminals.
Identity thieves ferret out personal identifying information through phishing scams seeking passwords and PINs. Thieves use psychology to trick victims into sharing information (Longtchi et al. 2022). You may receive an email, text or phone call claiming to be from a bank or online vendor asking to confirm the charge on an account or to update account numbers. Being busy, distracted or worried may trick you into replying. Cybercriminals scour the web for clues you leave. Posting birthdays or favorite foods on social media sites can give scammers the words to guess and steal passwords.
See also: Cybersecurity Tips and Strategies
Warning Signs of Identity Theft
Identity thieves use personal information in a variety of ways. They may try to access an existing account, to open a new account in the victim’s name, or to use a person’s PII to deceive others for another type of fraud (e.g., unemployment insurance fraud). The Federal Trade Commission recommends looking for the following warning signs of identity theft (FTC n.d.a):
- any unrecognized charge on a credit card or credit report
- an unauthorized withdrawal from a bank account
- one or more merchants refusing your checks or credit
- getting calls from debt collectors about bills you do not owe
- receiving medical bills for services you did not use
- not receiving a bill you usually get in the mail
- not receiving expected payments, such as a tax refund
Protect Your Personal Information
There are things you can do to prevent identity theft. Think about your clients and colleagues as well as yourself when using the following risk management tactics (Steinberg 2020).
“Always stay vigilant,” advises Lisa Plaggemier, the executive director of the National Cybersecurity Alliance. “Reassess the integrity and source of a communication asking you to divulge personal information or take you ‘off e-mail’ for ‘verification’ purposes. Be wary of text- and phone-based requests from scammers claiming to need your PII to confirm payments or avoid consequences for lack of response (e.g., IRS scams during tax season).”
Most important: Never give your PIN numbers, Social Security number, passwords or account numbers to any request through email, text, voicemail or messaging.
Limit sharing of personal information. Sharing birthday messages, names of schools and pets, and information about hobbies are common on social media sites. Friends and families see these—but so do hackers, who use this information to piece together passwords or gather details so they can pretend to be you for a phishing scam.
Be aware when using public Wi-Fi hotspots. Coffee shops and airports offer free Wi-Fi connections that can be convenient and help you pass the time. But public Wi-Fi can be hacked, so refrain from sending credit card numbers, personal details or any sensitive information across these services. You may want to install a virtual private network (VPN) if you use public sites (FCC 2021). A VPN provides an extra layer of privacy and anonymity between your data and the internet by cloaking your internet activity and location to help you avoid tracking, especially on Wi-Fi networks.
Check the terms of service at banks, online retailers and accounts that have your financial information. Financial institutions, government agencies, retailers and vendors will state if they will use email or phone to contact you. If you receive a suspicious message, don’t reply: Contact the institution on its official website or by calling the phone number you find there.
Read privacy policies and manage cookies. How many times do we accept cookies and acknowledge a privacy policy without reading it? Cookies track your actions on the internet. Privacy policies are lengthy and complex, but these also detail how your information will be stored and shared.
Check for encryption. Encryption scrambles information into a code to prevent unauthorized access. A key is needed to decrypt the code. For example, online shopping sites and banks use encryption to send credit card or checking account information across the internet. To check that your data is being encrypted by all online accounts and by third-party providers, such as a web-based fitness business or personal training apps, or the vendors who you pay online, look at their web address. Websites with an address beginning with “https” are encrypted (FCC 2021).
Investigate data collection through mobile health and fitness apps. Smartwatches and mobile health and fitness apps have become valuable tools for fitness trainers and consumers. Among Americans who use wearables, a majority (70%) said using the apps has improved their fitness and health (Arbanas et al. 2022).
These apps track exercise and diet information, and they may also capture a person’s age, height, weight, overall health status and other markers. All of this is personal information. The health and fitness apps may not store information on the device being used. Instead, the app provider may contract with a third-party company to store and analyze the data being collected. A study in BMJ that examined mHealth third-party providers found that 23% of data transmissions followed insecure protocols and 28.1% had no privacy policy (Tangari et al. 2021). Read the privacy and security policies before using these apps.
Activate Bluetooth controls. When information is being sent to an app from a mobile phone or smartwatch, it may travel using Bluetooth technology. Bluetooth security features rely on how the device is configured. Go to the device’s security settings to check on Bluetooth protocols. Use the hidden mode (rather than discoverable), and turn off Bluetooth when not in use.
Regularly review online accounts. The quicker you can spot a problem with any account (bank, business operation, email, social media, etc.), the faster you can take action to halt misuse. Set a day each week to check all accounts. Enroll in a credit monitoring service, e.g., Experian, Equifax or TransUnion.
Close unused accounts. Take a moment to count up how many online accounts you have among social media, work, banking, shopping, credit cards and payment systems. A recent report from the National Cybersecurity Alliance found that 62% of adults surveyed held at least one (and up to nine) sensitive online accounts, and 38% had more than 10 (Nurse et al. 2022). Fewer accounts are easier to manage and provide less opportunity for hackers.
See also: Protect Your Virtual Fitness Business
Reduce the Risk of Identity Theft to Colleagues and Clients
Cybersecurity is an issue for fitness businesses, whether you own a brick-and-mortar health club or studio or work independently as a personal trainer or instructor. Even very small businesses are at risk for a ransomware demand or attacks using stolen credentials (such as username and password). The motive is 100% financial: that is, to steal money (Verizon 2022). Business email compromise is also on the rise. For example, you may receive an invoice for payment from a vendor that looks almost exactly like the ones you’ve received before—except from a different address (FBI n.d.a).
Cybersecurity is a risk management issue that has the same priority as keeping the floor clear of discarded equipment or observing a client’s form and breathing. Apply all the cybersecurity actions in this article, and establish protocols for you and any employees to follow, at whatever level your business operates (Perkins 2019; FBI n.d.b).
Use encryption. Encrypt all transactions, and verify that vendors are maintaining encryption. Ask the commercial bank you do business with to help you take this step if you don’t know how.
Examine the cybersecurity of third-party suppliers and vendors. Take a close look at the privacy measures used by vendors and the subcontractors they may use. Third-party suppliers may have a data protection policy, but how do they implement and monitor it? >>
Restrict access to sensitive information. Limit the number of staff members who can access personal identifying information and financial information of your business and your clients. Demand that strong passwords are used to access information for the business. If a staff member leaves, immediately change the password.
Establish a policy on using personal devices for work. Do you allow it? What security is in place if a staff member accesses company information? What if the security on a personal device does not match the business’s requirement?
Create guidelines for email and social media and apps. Are all of these authorized? Which browsers do you require everyone to use? A staff member may like to use an app that does not match the security protocols for the business.
Make cybersecurity training an ongoing effort. That once-a-year review of cybersecurity is likely to be forgotten or ignored. Monthly updates may be more effective, especially when delivered in person during staff meetings. Use visuals, handouts and role-playing to educate and challenge staff to identify phishing and security risks (Konrad 2017). Websites for the National Cybersecurity Alliance and other U.S. federal agencies provide free resources you can use to develop a staff education program.
See also: Surviving and Profiting With Cashless Payments
Cybersecurity Reduces the Risk of Identity Theft
In a busy world, protecting personal information and constructing unique passwords may seem like a back-burner project. However, human actions account for 82% of all data breaches, either because of responding to a phishing email, an error, or because an attacker stole credentials, such as a username and password (Verizon 2022). This means that many data breaches are also preventable! It makes sense to slow down, think and make smart choices that protect your information, your clients and the integrity of your business.
Have a Plan of Attack for If You Get Hacked
If you become the victim of a cyberattack, there are immediate steps to take (FTC n.d.b; Steinberg 2020).
- Change your passwords. Immediately replace current passwords with new, complex ones. Never use the old passwords again.
- Immediately report the incident to the company(ies) you work for. If you use personal training or fitness business software from another company, notify them, too.
- Check your credit report for fishy transactions. Use Experian, Equifax or TransUnion to check your credit report, and look for credit cards you didn’t open. If you find one, phone the company’s fraud department to cancel the card, and place a fraud alert and/or credit freeze on your credit file.
- Check your bank account and other entities where financial information is used. Inform your bank or banks immediately. You may need to close current accounts and open new ones. If you have creditors, telephone them, too, and speak to their fraud department.
- File an identity theft report. File a police report. These reports list details and are proof that the fraud was committed. You may need these later if your credit or identity is questioned. Plus, sharing your experience can help organizations develop better systems to prevent or counter cyberattacks.
File an identity theft report:
IdentityTheft.gov
Report a cyber incident:
Canadian Centre for Cyber Security cyber.gc.ca/en/incident-management
Report cybercrime online:
European Union Agency for Law Enforcement Cooperation europol.europa.eu/report-a-crime/report-cybercrime-online
References
Arbanas, J., et al. 2022. Mastering the New Digital Life. 2022 Connectivity and Mobile Trends, 3rd edition. Deloitte Center for Technology, Media and Telecommunications. Accessed Oct. 13, 2022: deloitte.com/us/en/insights/industry/telecommunications/connectivity-mobile-trends-survey.html#introduction. Buzzard, J. 2022. 2022 Identity fraud study: The virtual battleground. Javelin Strategy & Research. Accessed Nov. 9, 2022: javelinstrategy.com/2022-Identity-fraud-scams-report. DOL (U.S. Department of Labor). n.d. Guidance on the protection of personal identifiable information. Accessed Feb. 20, 2023: dol.gov/general/ppii#:~:text=Personal%20Identifiable%20Information%20(PII)%20is,either%20direct%20or%20indirect%20means. FBI (Federal Bureau of Investigation). n.d.a. Scams and safety: Spoofing and phishing. Accessed Nov. 10, 2022: fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing. FBI. n.d.b. Scams and safety: Business email compromise. Accessed Feb. 20, 2023: fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise. FCC (Federal Communications Commission). 2021. Wireless connections and Bluetooth security tips. Accessed Oct. 6, 2022: fcc.gov/consumers/guides/how-protect-yourself-online. FTC (Federal Trade Commission). n.d.a. Warning signs of identity theft. Accessed Nov. 9, 2022: identitytheft.gov/#/Warning-Signs-of-Identity-Theft. FTC. n.d.b. Report to help fight fraud. Accessed Nov. 1, 2022: reportfraud.ftc.gov/#/. Konrad, C. 2017. Five ways to educate your workforce on cybersecurity and create awareness throughout your enterprise. Accessed Oct. 1, 2022: wwt.com/article/how-to-instill-cybersecurity-awareness-in-the-workplace. Longtchi, T., et al. 2022. Internet-based social engineering attacks, defenses and psychology: A survey. Cornell University. Accessed Oct. 13, 2022: arXiv:2203.08302v2. Nurse, J., et al. 2022. O, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022. National Cybersecurity Alliance and Cybsafe. Accessed Feb. 20, 2023: cybsafe.com/whitepapers/cybersecurity-attitudes-and-behaviors-report/. Perkins, J. 2019. 7 ways to protect your health club from a data breach. IHRSA. Accessed Oct. 21, 2022: ihrsa.org/improve-your-club/7-ways-to-protect-your-health-club-from-a-data-breach/. Steinberg, S. 2020. The latest ways identity thieves are targeting you—and what to do if you are a victim. Accessed Oct. 6, 2022: cnbc.com/2020/02/27/these-are-the-latest-ways-identity-thieves-are-targeting-you.html. Tangari, G., et al. 2021. Mobile health and privacy: Cross sectional study. BMJ, 373, n1248: doi:10.1136/bmj.n1248. Verizon. 2022. Verizon Data Breach Investigations Report (DBIR). Accessed Nov. 4, 2022: verizon.com/business/resources/t787/reports/dbir/2022-data-breach-investigations-report-dbir.pdf.
Patricia Ryan, MS
Patricia Ryan, MS, develops educational content for leaders and professionals in the wellness, fitness and older-adult marketplaces. Ryan has conducted market research and authored numerous white papers, survey reports, industry analyses and research reviews along with producing educational webinars. She holds a master’s of science degree in instructional technology aimed at designing professional education. She was IDEA’s first editor in chief and developed the Gold Standard of content for which IDEA is still known.