Hims & Hers Health announces breach affecting patients' personal data

American telehealth company Hims & Hers Health said it suffered a major customer data breach after hackers gained access to customer support tickets shared with a third-party customer service platform.

 

The telehealth company disclosed the data security incident in a notice shared with the office of the Attorney General of California on 2nd April, stating that the breach incident occurred between 4th and 7th February. 

 

Headquartered in San Francisco, California, Hims & Hers Health, Inc. was founded in 2017 as a multi-speciality telehealth platform, connecting patients to licensed healthcare professionals to obtain advice and care for numerous conditions related to sexual health, hair care, mental health, skincare, primary care, and more. 

 

The company earned a revenue of $2.35 billion in 2025 and was listed on the New York Stock Exchange in 2021. Hims & Hers competes aggressively with the likes of Amwell, Ro, and Maven Clinic, particularly for a major chunk of the $186 billion telehealth industry driven by the weight-loss craze and a shortage of primary care providers in the US.

 

The company said in data security incident notification letters sent to affected patients that on 5th February, it learned about suspicious activity affecting a third-party customer service platform. An investigation into the activity revealed that customer support tickets shared with the platform between 4th and 7th February were accessed or acquired by third parties. 

 

"On March 3, 2026, we identified that personal information related to a limited set of individuals was present in the affected service tickets," the company said. It added that the compromised customer service tickets contained patients’ names, contact details and additional information but did not contain personal healthcare information or communications between patients and their healthcare practitioners.

 

"We promptly launched an investigation, secured the customer service platform, and worked to identify affected individuals. As part of our ongoing commitment to information security, we are reviewing our policies and procedures to reduce the likelihood of similar future incidents. We have notified federal law enforcement and will notify relevant regulators, as required," the company said.

 

Hims & Hers Health is providing complimentary credit monitoring and identity restoration services through Cyberscout for twelve months to all affected patients, and has also set up a dedicated phone helpline to address patients’ questions and concerns about the data security incident.

 

According to BleepingComputer, the cyber attack was carried out by the ShinyHunters extortion group which used compromised Okta single-sign-on accounts to gain access to a Zendesk instance managed by Hums & Hers Health. The hacker group reportedly stole millions of customer support tickets from the platform until the access was terminated.

 

Hims & Hers Health is yet to disclose how many patients were impacted by the data breach incident or whether it has received a ransom demand from hackers who had millions of customer tickets in their possession.