Hims & Hers, a direct-to-consumer telehealth company, has disclosed a data breach involving unauthorized access to its third-party customer service platform. The incident, which occurred in early February 2026, exposed support tickets containing limited personal information, highlighting growing cybersecurity risks in digital healthcare services.
The breach was first identified on February 5, 2026, when suspicious activity was detected within the customer support platform. An internal investigation later confirmed that an unauthorized third party had accessed the system between February 4 and February 7, during which time certain customer support tickets were viewed or exfiltrated.
According to the company, the compromised data includes personal details such as names and contact information. However, Hims & Hers clarified that no medical records were accessed, and there was no unauthorized exposure of communications between patients and healthcare providers – an important distinction in mitigating the severity of the breach.
Following the discovery, the company moved quickly to secure the affected platform, notify law enforcement authorities, and begin outreach to impacted individuals. Notification letters are currently being sent to those affected, and the company is offering 12 months of complimentary credit monitoring and identity theft protection services.
Despite the breach, Hims & Hers has not publicly disclosed the total number of individuals impacted. The incident has been reported to regulators, including the California Attorney General, as part of compliance with data breach notification requirements.
The company has also initiated a comprehensive review of its privacy and security policies, alongside implementing additional safeguards to prevent similar incidents in the future. This includes reassessing third-party platform security and strengthening internal monitoring capabilities.
While Hims & Hers did not officially attribute the attack, external reports suggest that the ShinyHunters threat group may be responsible. The group is known for targeting organizations through compromised Okta single sign-on (SSO) accounts, enabling unauthorized access to cloud-based platforms and customer data repositories.
In this instance, the attackers reportedly leveraged an Okta SSO vulnerability to infiltrate the company’s Zendesk environment, potentially extracting millions of support tickets as part of a broader data theft and extortion campaign affecting multiple organizations.
The breach underscores the increasing vulnerability of third-party platforms within healthcare ecosystems, where even limited data exposure can have significant implications for consumer trust and regulatory compliance. As telehealth adoption continues to rise, companies are under growing pressure to ensure robust security across all digital touchpoints, including external service providers.
This incident serves as a reminder that cybersecurity resilience in healthcare extends beyond core systems to encompass the entire digital supply chain, reinforcing the need for proactive threat detection, strict access controls, and continuous monitoring of third-party integrations.
Recommended Cyber Technology News :
- Check City Data Breach Impacts 322K Users
- Data Breach Settlement: Cardiovascular Pays $3.85M
- Meta Halts Mercor Work After Major AI Data Breach
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
