Hims & Hers telehealth firm confirms data breach in customer support system hack

Telehealth company Hims & Hers has confirmed a data breach affecting its third-party customer service platform. The company filed a notice with the California attorney general's office on Thursday, stating that hackers infiltrated its support ticketing system between 4 and 7 February.

The breach compromised customer support tickets, which contained personal information submitted by users. A company spokesperson attributed the incident to a social engineering attack, where employees were tricked into granting system access.

Scope of the Compromised Data

According to the data breach notice, the stolen information primarily included customer names and email addresses. The notice also referenced other unspecified personal data, which the company redacted in its public filing.

Jake Martin, a spokesperson for Hims & Hers, stated the stolen data "primarily included customer names and email addresses." The company declined to specify what other types of data were taken when questioned by TechCrunch.

The firm emphasised that customer medical records were not affected. However, support tickets can contain sensitive details about a person's account and healthcare inquiries.

Ongoing Investigation and Legal Context

The exact number of affected individuals remains unknown. Under California law, companies must disclose data breaches involving 500 or more state residents.

The company has not confirmed whether it has received any communication, such as a ransom demand, from the hackers. Customer support systems have become frequent targets for financially motivated cybercriminals seeking to extort companies.

This incident follows a similar breach last year at Discord, where a hack on its support system exposed the government-issued IDs of approximately 70,000 users.

Industry-Wide Security Concerns

The attack on Hims & Hers highlights a growing trend where hackers target third-party customer service platforms to access vast databases of personal information. These systems are often seen as vulnerable points in corporate security.

The company's response and the ongoing investigation will be closely watched, as data breaches in the healthcare sector carry significant regulatory and reputational risks.