Hims & Hers, the telehealth powerhouse known for weight-loss treatments and sexual health prescriptions, has confirmed a security breach involving its third-party customer service platform. The incident, which occurred in early February 2026, resulted in the theft of sensitive data submitted by users through the company’s support channels.
The Scope of the Attack
According to a disclosure filed with the California attorney general’s office, unauthorized actors gained access to the company’s customer support ticketing system between February 4 and February 7. During this window, hackers successfully exfiltrated a significant volume of support tickets containing personal information.
While Hims & Hers stated that core medical records were not compromised, the nature of support tickets often involves sensitive context. The stolen data includes:
- Customer names
- Email addresses and contact information
- Unspecified personal data related to account inquiries
Social Engineering at Play
The breach was not the result of a direct software exploit but rather a social engineering attack. Company spokesperson Jake Martin confirmed that hackers manipulated employees into granting access to internal systems. This method has become increasingly common as cybercriminals pivot from technical hacking to psychological manipulation of staff members.
Under California law, companies must report breaches affecting more than 500 state residents. While the total number of affected individuals remains undisclosed, the filing indicates the scale was large enough to trigger these mandatory reporting requirements.
A Growing Trend in Cybersecurity
This incident mirrors a rising trend where financially motivated hackers target customer service infrastructure. Because these systems often store unencrypted personal identifiers and sensitive communication logs, they serve as high-value targets for extortion.
Similar vulnerabilities were exposed last year when Discord suffered a breach of its support system, which exposed the government-issued IDs of approximately 70,000 users. For telehealth providers like Hims & Hers, the stakes are particularly high, as support interactions frequently touch upon private health concerns and personal identity.
