Telehealth giant Hims & Hers Health is warning of a data breach after support tickets from a third-party customer service center were stolen.
Hims & Hers is an American telehealth company specializing in direct-to-consumer healthcare, offering subscription-based treatments for hair loss, ED, mental health, skin care, weight loss, and other conditions or needs.
It is one of the most successful US brands in the online pharmacy and telehealth space, with a strong marketing presence, and annual revenues approaching $1 billion.
According to a sample notification shared with authorities in California, the data breach occurred in early February 2026.
“On February 5, 2026, Hims & Hers, Inc. became aware of suspicious activity affecting our third-party customer service platform,” reads a letter sent to affected individuals.
“We took immediate steps to secure our customer service platform and began an investigation into the nature and scope of the potential security incident.”
“The investigation found that from February 4, 2026, to February 7, 2026, certain tickets sent to our customer service team were accessed or received without authorization.”
After an internal investigation, the company determined, on March 3, that the hackers obtained support tickets, which in some cases, contained personal information.
The information disclosed may include names, contact information, and other anonymous data, which may be related to the support request submitted in each case.
The company stressed that no medical records or communications with doctors were affected in the incident.
Although the company did not share more details, BleepingComputer discovered last month that the ShinyHunters gang had breached the law.
The data was stolen as part of a widespread campaign where threat actors compromised Okta SSO accounts to gain access to third-party cloud storage services and SaaS platforms to steal data.
In this attack, BleepingComputer was told that malicious actors used an Okta SSO account to access a His-and-Hers Zendesk instance, where they stole millions of support tickets.
The company is now offering 12 months of free credit monitoring services to all affected individuals.
Customers are also encouraged to remain vigilant against unsolicited communications that may contain phishing or social engineering tunnels. Also, they are advised to review account statements and monitor credit reports for suspicious activity.
BleepingComputer contacted the company to request more information about the incident and how many customers were affected, but had not heard back at press time.
Two recent high-profile customer support security breaches that resulted in customer data breaches were those of DIY store chain ManoMano in February and Crunchyroll in March. In both cases, the platform that was taken down was Zendesk.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
