Hims & Hers Data Breach Exposes Customer Data — Here Is What You Need to Know
Hims & Hers, the popular telehealth company known for selling weight-loss drugs and sexual health prescriptions, has confirmed a data breach. Hackers broke into its third-party customer support system between February 4 and February 7, stealing personal information from support tickets submitted by real customers. If you have ever contacted their support team, your data may be at risk.
 |
| Credit: Hims & Hers / file photo |
How the Hims & Hers Hack Actually Happened
This was not a brute-force attack or a sophisticated exploit. According to a company spokesperson, Hims & Hers fell victim to a social engineering attack — a method where hackers psychologically manipulate employees into handing over access credentials or granting system entry.
It is one of the most effective and increasingly common tactics used by cybercriminals today. Rather than breaking through technical defenses, they simply trick a human into opening the door. Once inside, the attackers moved quickly, spending at least three days inside the third-party ticketing system before the breach was discovered.
The company disclosed the breach in a formal data breach notice filed with the California attorney general's office. Under California law, any breach involving 500 or more state residents must be disclosed, which gives us a legal paper trail — but also signals the scale of impact is likely significant.
What Data Was Stolen in the Breach
The company confirmed that hackers stole data contained within customer support tickets. These tickets are the messages customers send when they have a problem — covering anything from billing questions to prescription concerns to account issues.
According to the breach notice, the stolen data included customer names and contact information. A company spokesperson also stated that the compromised data "primarily included customer names and email addresses." However, the official notice filed with regulators left certain categories of personal data redacted, meaning the full picture of what was taken has not been made public.
Hims & Hers was quick to clarify that customer medical records were not directly affected. But that reassurance only goes so far. Support tickets for a telehealth company can still contain highly sensitive context — the nature of a prescription inquiry, a complaint about a medication, or account-level details that paint an intimate picture of someone's health journey. The sensitivity of that data should not be underestimated.
Who Is at Risk and How Many People Were Affected
As of now, the exact number of affected individuals has not been disclosed by the company. Hims & Hers has not confirmed a specific figure, and when pressed by journalists for more detail about the types of data taken, the company declined to provide a fuller answer.
The decision to file with the California attorney general suggests at minimum hundreds of customers in California alone were affected. Given that Hims & Hers operates nationally and serves hundreds of thousands of subscribers across the United States, the total number of people whose data was exposed could be significantly higher.
Customers who have contacted the Hims & Hers support team — especially between late 2025 and early 2026 — should assume their name and email address may be in the hands of unauthorized third parties.
Why Telehealth Companies Are Prime Targets for Hackers
The Hims & Hers breach is not happening in isolation. Over the past 12 to 18 months, customer support and ticketing systems have become high-value targets for financially motivated cybercriminals. These systems sit at the intersection of personal data and operational access — and they are often managed by third-party vendors with their own security vulnerabilities.
Hackers know that companies managing health-adjacent data face enormous reputational and regulatory consequences if that data is exposed. That pressure creates leverage — making these organizations more likely to pay a ransom quietly rather than face public scrutiny.
It is also worth noting that Hims & Hers has not confirmed whether hackers made any ransom demand or whether any communication has been received from the attackers at all. The company's silence on this point is notable.
The Growing Threat Against Customer Support Systems
This breach follows a pattern that the cybersecurity world has been watching closely. Customer support platforms are a goldmine for attackers. They aggregate names, emails, device information, purchase history, and in many cases, sensitive personal disclosures that users make when seeking help.
Just last year, a major online platform suffered a breach through its customer support ticketing system that exposed the government-issued IDs — including passports and driver's licenses — of tens of thousands of users who had submitted them to verify their identity.
That case is a stark reminder that the support inbox is not just a place for customer complaints. It is a repository of deeply personal information that deserves the same level of protection as any core database.
The shared thread in these incidents is the use of third-party vendors. When companies outsource their customer support infrastructure, they extend their attack surface to include every vulnerability in that vendor's systems.
What Hims & Hers Is — and Is Not — Telling Customers
The company's communication around this breach has been notably thin on specifics. It confirmed the breach. It named the attack vector as social engineering. It said names and emails were primarily what was taken. It confirmed medical records were not accessed.
Beyond that, Hims & Hers has declined to answer key questions: How many people were affected? What specific categories of personal data were redacted from the official notice? Has the company received any ransom demand? What steps is it taking to secure its third-party vendor relationships going forward?
This kind of partial disclosure is frustrating for customers who deserve full transparency, particularly from a company entrusted with health-related information. Data breach transparency is not just a public relations exercise — it is an ethical obligation to the people whose private data was put at risk.
What You Should Do Right Now If You Are a Hims & Hers Customer
Even if you have not received a direct notification from the company, there are steps worth taking immediately to protect yourself.
First, be on high alert for phishing emails. Now that hackers have names and email addresses, you may start receiving sophisticated, targeted emails that appear to come from Hims & Hers or a related service. Do not click links in unexpected emails — go directly to the official website instead.
Second, if you used the same email address and password combination on Hims & Hers as on other platforms, change those passwords now. Use a password manager if you do not already have one, and enable two-factor authentication wherever possible.
Third, monitor your email account for unusual activity. If hackers have your email address, they may attempt to use it as a stepping stone to access other services.
Fourth, watch your financial accounts. While financial data was not mentioned in the breach, a customer's full profile — name, email, and support history — can sometimes be used in account takeover attempts on other platforms.
Finally, keep an eye out for any official notification from Hims & Hers. The company is obligated to inform affected individuals, and that communication should include guidance on next steps.
Telehealth Security Cannot Be an Afterthought
The Hims & Hers breach arrives at a moment when telehealth is growing faster than ever. Millions of Americans now manage prescriptions, mental health care, and chronic conditions through digital health platforms. The convenience is real — but so is the risk.
Healthcare data is among the most sensitive information a person can share. When a customer reaches out to a telehealth company's support team, they are often doing so during a vulnerable moment. The expectation is that this company will treat their information with the highest possible standard of care.
Third-party ticketing systems, social engineering attacks, and opaque breach disclosures are not acceptable features of a mature healthcare company's operations. As the telehealth sector matures, regulators, investors, and customers alike are going to demand better.
The Hims & Hers data breach is a serious reminder that digital convenience and digital security must grow together — not at each other's expense.
