Hims & Hers, a telehealth company, has disclosed a data breach involving its third-party customer support ticketing system after hackers gained access between 4 and 7 February 2026.
In a letter to customers, it warned of a data security incident that might have exposed their personal information.
On 5 February, the company said it became aware of suspicious activity affecting its third-party customer service platform. “We promptly took steps to secure our customer service platform and initiated an investigation into the nature and scope of the potential security incident.”
It added that certain tickets sent to its customer service team were accessed or acquired without authorization. “In response, we undertook a comprehensive review of the affected service tickets to determine what information was present and to whom it relates.”
On 3 March, Hims & Hers identified that personal information related to a limited set of individuals was present in the affected service tickets. The information in question included names and contact information. “Customer medical records were not impacted by this incident, and neither were communications with health care providers on the platform.”
The company said it takes this event and the security of information in its care seriously. “We promptly launched an investigation, secured the customer service platform, and worked to identify affected individuals. As part of our ongoing commitment to information security, we are reviewing our policies and procedures to reduce the likelihood of similar future incidents.”
Federal law inforcement has been notified, and relevant regulators will be notified, too. “We are offering complimentary credit monitoring and identity restoration services for 12 months through Cyberscout.”
A critical business liability
John Carberry, Solution Sleuth at Xcape Inc, said the event demonstrates that the shadow medical record residing in third-party support systems is a critical business liability. “The company’s distinction between its secure Employee Health Records (EHR) and a compromised vendor is irrelevant; exposing customer names alongside sensitive treatment categories (sexual health, anxiety) fundamentally violates patient privacy. This breach invites immediate litigation and severely damages consumer trust, undermining the brand’s promise of discretion.”
He said driven by the social engineering of two employees, the event highlights a failure of identity governance rather than an encryption failure. “Security leaders must recognize that social engineering renders legacy multi-factor authentication (MFA) obsolete. To mitigate this, organizations should mandate phishing-resistant hardware keys and enforce strict IP allow listing for all SaaS administrative access. Furthermore, teams should implement aggressive data retention policies to anonymize or purge support tickets once a query is resolved. In a cloud-first ecosystem, the identity of the person answering a support ticket is as critical to the Internet perimeter as the hardening of the database itself.”
Carberry added: “Apparently, discreet shipping doesn’t apply to the customer support database.”
Ticketing systems have become a popular target
Denis Calderone, CTO at Suzu Labs, said: “Customer support ticketing systems have become a popular target in healthcare, and this is the third significant ticketing platform incident we’ve tracked in recent months. Earlier this year we saw an issue on Zendesk’s platform being abused as a spam relay through a configuration weakness, Discord lost 70,000 government-issued IDs through their support system last year, and now Hims & Hers has had a year’s worth of customer support tickets exfiltrated through a social engineering attack on two employees. It seems it’s time to start treating the ticketing platform with the same security rigor as we apply to other core applications.
He says the fact that medical records were not affected, may be technically accurate in the sense that the clinical platform and provider communications are separate from the support ticketing system. “But think about what a support ticket at a telehealth company that sells weight-loss drugs, erectile dysfunction medication, and hair loss prescriptions actually contains.”
Not a meaningful distinction for patients
The company acknowledged that ‘treatment categories’ were among the exposed data, he continued. “If your support ticket says you want to cancel your GLP-1 subscription or you’re asking about side effects from your ED medication, that’s health information that can be discerned from the ticket context even if formal medical records were never touched. The distinction between ‘medical records’ and ‘sensitive health information a customer voluntarily submitted to support’ is meaningful to lawyers but not to the patient whose treatment category is now in an attacker’s hands.”
Calderone added that the blast radius here was made worse by what appears to be a full year of retained ticket data. “The breach window was only three days, February 4 through 7, but the exposed tickets span back to mid-February 2025. That’s twelve months of customer interactions sitting in a third-party platform. If resolved tickets had been purged on a 90-day retention policy, the volume of exposed data would have been a fraction of what it was. Data retention is one of the most overlooked blast-radius controls we see, and this is a textbook example of why it matters.”
He said for organizations running third-party support platforms, especially in healthcare or any industry handling sensitive customer data, a few controls would have helped here:
1. Phishing-resistant MFA on all ticketing platform accounts. Two employees were socially engineered into granting access. Hardware keys or passkeys make that significantly harder to pull off.
2. Conditional access policies that restrict agent and admin access to managed devices and known network locations. Compromised credentials are less useful if they can only be used from an enrolled corporate device.
3. Aggressive data retention policies. Purge resolved tickets on a defined schedule. A year of accumulated support data is a year of accumulated risk.
4. Minimize sensitive data in ticket fields. Auto-redact PII where possible and avoid storing treatment-specific information in support ticket metadata unnecessarily.
5. Restrict bulk data export capabilities to only the roles that absolutely require it.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.