While you were sleeping, WHOOP was watching — and then it told a stranger exactly what it saw.

That stranger is a company called Segment. You didn’t agree to share your data with Segment. You didn’t sign anything authorizing Segment to collect your resting heart rate at 2 a.m., your current stress score, your respiratory rate, whether your blood oxygen is outside a healthy range, or what health videos you watched in private. According to a federal class action filed on August 13, 2025, WHOOP handed all of that over anyway.

WHOOP built its entire brand around trust. The company positioned itself as a health partner, a physiological coach, a vault for your most sensitive biological data. Users paid up to $359 a year (more than the average American spends on a week of groceries) for a wearable they trusted with information they wouldn’t share with most doctors. WHOOP collected that trust — and then, the lawsuit alleges, quietly monetized it.

The Data Machine Strapped to Your Wrist

24/7 Surveillance, Sold as Self-Improvement

WHOOP is worn around the clock. The company designed it that way. The device measures heart rate, heart rate variability, resting heart rate, max heart rate, respiratory rate, blood oxygen levels (SpO2), skin temperature, sleep stages, sleep debt, VO2 max, workout strain, and recovery scores — a continuous, real-time physiological readout of your entire body.

The “Peak” membership tier adds a real-time Stress Monitor that calculates a stress score between 0 and 3, comparing your current heart rate and HRV to your personal 14-day baseline. The “Life” tier goes further, adding daily blood pressure insights, ECG readings, and on-demand AFib detection. The FDA recently issued a warning to WHOOP asserting that these devices are medical devices and must be tested as such.

WHOOP also tracks women’s menstrual cycles, hormonal shifts, and pregnancy. The platform promises to help women “understand [their] unique body and cycle” and provides “personalized guidance and weekly insights” for pregnant users covering sleep, hydration, and more. This is the data profile the lawsuit says WHOOP handed to a third party without a word to the people wearing the device.

The Subscription Structure That Trapped Your Data

WHOOP does not sell hardware. Users purchase a membership — ranging from $199 to $359 per year (the cost of two months of utilities for many households) — and receive the wearable device as part of that subscription. The three tiers are called “One,” “Peak,” and “Life,” each collecting progressively more sensitive physiological data.

Because users buy a membership to the app, the app is the product. And inside the app, according to the lawsuit, WHOOP embedded Segment: a third-party data collection tool that was silently listening to everything users did, every vital they viewed, and every video they watched.

The Non-Financial Ledger: What a Breach Like This Actually Takes From You

They Knew Exactly What They Were Taking

WHOOP did not accidentally collect sensitive data. The company deliberately engineered a product that tracks your body at the most vulnerable moments: when you are asleep, when you are stressed, when you are sick, when you are pregnant, when your heart is struggling to recover. WHOOP marketed that intimacy as its core feature. “Unprecedented visibility into the relationship between physiology and performance.” Those are the company’s own words.

Then, according to the lawsuit, WHOOP handed the fruits of that intimacy to Segment — a stranger in the data economy — without asking. That is a specific kind of betrayal. You did not just have your credit card number stolen. You had your body stolen. Your stress levels at 11 p.m. on a Tuesday. Your sleep patterns for the past year. Your resting heart rate during a difficult month. Your HRV scores, which can indicate depression, chronic illness, and cardiac events. All of it, sent to a third party that you never agreed to meet.

Pregnancy Data Is in a Category of Its Own

The lawsuit specifically calls out reproductive health data. WHOOP actively courted pregnant users, offering “personalized guidance and weekly insights” for managing pregnancy through physiological tracking. Women using WHOOP during pregnancy trusted the platform with data that is extraordinarily sensitive in the current political and legal landscape in the United States, where reproductive health data has been weaponized in criminal prosecutions.

The complaint directly states that Segment collected information about users’ “reproductive health.” WHOOP’s own published pledge stated that “reproductive health” data “is always protected.” The gap between that promise and what the lawsuit alleges actually happened is not a technicality. It is a fundamental violation of the most intimate trust a user can place in a technology company. Women who used WHOOP while pregnant, while tracking their cycles, or while managing hormonal health conditions had every reason to believe that information stayed between them and their doctor.

The Video Viewing History Angle Is Darker Than It Sounds

One of the two legal claims in this lawsuit involves the Video Privacy Protection Act, a federal law that was originally passed to prevent video rental stores from disclosing what movies customers watched. It sounds quaint. It is anything but. WHOOP’s app includes a library of health videos: “Understanding Average Heart Rate,” guided meditation sessions, stress reduction breathwork, relaxation exercises. The titles of those videos reveal private health concerns just as clearly as a diagnosis would.

If WHOOP shared the fact that a specific named user, at a specific email address, watched a video about managing stress, or a breathing exercise for anxiety, or a meditation for sleep disorders — that user’s mental health status has effectively been disclosed to a third party without consent. The law recognizes that what you choose to learn about your own body is private information. WHOOP, the lawsuit alleges, disclosed it anyway, paired with users’ full names and email addresses.

The Damage Goes Beyond the Individual

Health data is forever. Once Segment collected your resting heart rate, your blood oxygen levels, your stress scores, and your full name and email address, that linkage exists in their systems. It can be sold, subpoenaed, hacked, or leaked. The class action complaint states plainly that “there is significant economic value in their medical information that Defendant capitalized on.” WHOOP users paid for a health coaching tool and became, without consent, a product in the data supply chain.

The downstream uses of this data are not speculative. Health data informs insurance underwriting decisions. It informs employer wellness programs. It informs targeted advertising for pharmaceuticals, mental health apps, and medical devices. Every person whose stress score, cardiac data, or reproductive health information was disclosed to Segment lost something that cannot be refunded: control over the narrative of their own body.

Legal Receipts: The Quotes That Should Sink Them

These are verbatim passages from the federal class action complaint filed against WHOOP. Read them. Then read WHOOP’s privacy pledge directly below. Hold both in your head at the same time.

“Unbeknownst to consumers (and contrary to WHOOP’s representations), however, WHOOP embedded a third-party tracker called Segment into its mobile app that allows Segment to collect consumer data from the WHOOP app.”

Complaint ¶31 — The Core Allegation

“WHOOP discloses to Segment personal information on Plaintiff and the Class including their full name, email address, height, weight, birthday, city, gender, username, and information about their mobile devices (such as their phone make, model, operating system, screen size, and their phone carrier’s name, among other).”

Complaint ¶32 — The Scope of the Data Transfer

“Furthermore, WHOOP discloses the consumer’s vitals along with the consumer’s PII. Segment collects information about the consumer’s resting heart rate, max heart rate, minimum heart rate, among others. For example, when viewing the ‘Stress Monitor’ screen, Segment collects the consumer’s current stress levels.”

Complaint ¶33 — Real-Time Medical Data Disclosure

“WHOOP also discloses to Segment the consumer’s ‘Health Monitor’ data which is an overview of the consumer’s overall health and includes their respiratory rate, blood oxygen levels, resting heart rate, heart rate variability, and skin temperature, and whether those vitals are within (or outside) an acceptable and healthy range.”

Complaint ¶34 — The Full Health Profile

“Our members provide us with an unprecedented amount of accurate physiological data… We use aggregated or de-identified wellness data that no longer identifies a particular individual (and is thus no longer personal data)… We know privacy and security are important to you. We are committed to making WHOOP the best tool to monitor and understand the body.”

WHOOP’s Own Published “Privacy Principles” — Quoted in Complaint ¶30

“Plaintiff and the Class sustained an economic loss. That is, they would not have paid the full value of the WHOOP subscription or would have not purchased a WHOOP subscription had they known Defendant would disclose their medical information. Further, there is significant economic value in their medical information that Defendant capitalized on.”

Complaint ¶59 — The Financial Harm to Users

Societal Impact Mapping

Public Health: When Medical Data Leaves the Building

The data WHOOP collected is not lifestyle data. The FDA’s recent ruling classified WHOOP’s device as a medical device, which places it in a different legal and ethical category than a step counter or a sleep log app. The complaint documents that WHOOP’s “Life” tier provides “medical-grade health and performance insights,” including ECG readings and on-demand AFib detection. AFib — atrial fibrillation — is a serious cardiac arrhythmia. Knowing someone has sought information about AFib, or that their vitals are “outside an acceptable and healthy range,” is knowing something about their medical status.

When that level of data leaves an app without consent and lands at a third-party analytics company, the public health implications are real and permanent. Insurance companies and data brokers operate in the same ecosystem as analytics firms like Segment. Health data that gets into that ecosystem has historically found its way into actuarial models, denial-of-coverage algorithms, and profiling systems. Every WHOOP user whose cardiac or respiratory data was shared without consent became an unknowing participant in an experiment in health data commodification.

The California Medical Information Act, one of the two statutes at the center of this lawsuit, exists precisely because California legislators recognized that health information disclosure without consent causes direct, concrete harm. The complaint argues WHOOP violated it. The FDA’s warning that WHOOP’s devices are medical devices makes that argument substantially stronger: the data being shared was not just sensitive, it was medical.

Economic Inequality: Who Bears the Cost of a Trust Violation

WHOOP memberships run $199 to $359 per year (the equivalent of one to two months of groceries for a family of four). That price point means WHOOP’s user base skews toward people with disposable income: people who could absorb the cost of a premium health wearable subscription. But it also means those users had a reasonable expectation of a premium product with premium privacy protections. The price tag was, in part, paying for trust.

The lawsuit seeks $2,500 per person under the Video Privacy Protection Act (enough to cover a month of rent in most mid-size American cities) and $1,000 per person under California’s Medical Information Act (enough to cover several weeks of groceries for a household). Individually, those numbers are meaningful to ordinary people. At class-action scale, with millions of potential class members, they represent a number that could genuinely hold a corporation accountable. Whether that accountability materializes depends entirely on the courts and on public pressure.

The economic inequality dimension runs deeper than the settlement math. Health data is an asset. WHOOP users generated that asset with their own bodies, wearing a device 24 hours a day, 7 days a week. The complaint states directly that “there is significant economic value in their medical information that Defendant capitalized on.” Users created the value. WHOOP allegedly extracted it and handed it to Segment without sharing the benefit or seeking permission. That is a description of labor without compensation, executed at the biological level.

The Scale of What They Owe

To put the damages in perspective: the federal Video Privacy Protection Act allows up to $2,500 per person in liquidated damages (enough to cover a month of rent for the average American renter in most cities outside New York and San Francisco). The California Medical Information Act adds another $1,000 per person (enough to cover roughly six to eight weeks of groceries for a household). The case seeks both, plus punitive damages on top.

The total amount in controversy exceeds $5,000,000 (enough to fully fund a rural community health clinic for several years) by the complaint’s own statement. And that floor figure assumes a relatively small class. WHOOP has a global subscriber base. The real exposure, if every qualifying member were included, could be orders of magnitude larger.

The “Cost of a Life” Metric

What Now? The Watchlist and the Way Forward

Corporate Roles to Watch

• WHOOP Inc. Executive leadership at WHOOP, Inc., headquartered at One Kenmore Square, Boston, MA. The company’s CEO and Chief Privacy Officer hold direct accountability for the app’s data architecture and the Segment integration.
• Segment The undisclosed third-party tracker embedded inside the WHOOP app. Segment is a customer data platform. The complaint names it as the recipient of users’ medical data, PII, and video viewing histories. Segment’s parent company and data retention practices warrant independent scrutiny.

Regulatory Watchlist

• FDA Already flagged WHOOP’s devices as medical devices requiring proper testing. The FDA’s Center for Devices and Radiological Health has jurisdiction over WHOOP’s hardware.
• FTC The Federal Trade Commission has enforcement authority over deceptive privacy practices. WHOOP’s published privacy pledge versus its alleged actual behavior is a textbook deceptive practice case.
• California Attorney General California’s Medical Information Act (Cal. Civ. Code § 56) and broader CCPA enforcement fall under the AG’s office. This case was filed in California and involves California residents.
• CFPB The Consumer Financial Protection Bureau has shown interest in data broker practices and financial harm from unauthorized data disclosure. The economic damages framing in this complaint fits their mandate.
• Congress The Video Privacy Protection Act at the center of this case was written in 1988 for VHS rental stores. Legislators focused on health data privacy should be updating it for wearable medical devices.

Here is another article that I published about WHOOP the evil corporation that you can read if you want

Related posts:

Why does a ride sharing app need to keep pictures of our face in their database? | Getaround 2.2 million victims later, Rite-Aid still doesn’t get it! 🚨 Two Data Breaches, One Pattern of Failure | PRGX T-Mobile: 2 Major Data Breaches in 1 Year