Hims and Hers, the publicly traded telehealth company known for its weight-loss drug prescriptions and sexual health services, has confirmed a significant data breach affecting its third-party customer support platform. The breach, disclosed on April 2, 2026, via a filing with the California Attorney General’s office, reveals that hackers used social engineering tactics to infiltrate the company’s ticketing system and steal sensitive customer data.
What Happened: The Breach Timeline
According to the official data breach notice, the attack unfolded over several days in early February 2026:
- February 4-7, 2026: Hackers breached Hims and Hers’ third-party customer support ticketing system
- The attackers used a social engineering attack, tricking employees into granting unauthorized system access
- Stolen data included customer names, email addresses, contact information, and other personal data submitted through support tickets
- The company confirmed that medical records were not directly affected
However, cybersecurity experts note that customer support tickets for a telehealth company can contain highly sensitive information, including details about prescriptions, health conditions, and personal circumstances, even if formal medical records were not accessed.
The Social Engineering Threat
This breach highlights the growing danger of social engineering attacks, which exploit human psychology rather than technical vulnerabilities. Hackers posing as legitimate users or IT personnel convinced Hims and Hers employees to grant them access to internal systems, a technique that has proven devastatingly effective against even well-resourced companies.
The attack follows a disturbing pattern. In 2025, Discord suffered a similar breach of its customer support ticketing system, exposing the government-issued IDs of approximately 70,000 users. Customer support platforms have become prime targets because they aggregate sensitive personal information in systems that often have weaker security controls than core infrastructure.
Why Telehealth Breaches Are Especially Dangerous
The healthcare and telehealth sector faces unique cybersecurity risks. Patients share deeply personal information, medical histories, prescription details, and mental health concerns when seeking care. Even if formal electronic health records (EHR) systems were not compromised, support ticket data at a company like Hims and Hers could reveal:
- What medications customers are taking (including sensitive drugs like GLP-1 weight-loss medications)
- Personal health concerns and conditions
- Billing and insurance information
- Home addresses and contact details
This type of data is highly valuable on dark web marketplaces and can be used for targeted phishing, identity theft, and even blackmail.
Regulatory and Legal Implications
The California data breach disclosure was triggered by state law requiring notification when 500 or more California residents are affected. The full scope of the breach, including the total number of affected customers, has not yet been disclosed. Hims and Hers has not confirmed whether it received a ransom demand from the attackers.
Given the sensitive nature of telehealth data, the company could face significant regulatory scrutiny from both state and federal authorities, including potential HIPAA-related investigations if protected health information were involved.
What Customers Should Do
If you are a Hims and Hers customer, cybersecurity experts recommend monitoring your email for phishing attempts, enabling two-factor authentication on your account, watching for suspicious activity on financial accounts, and being cautious of any unsolicited communications claiming to be from the company.
For quality tech news, professional analysis, insights, and the latest updates on technology, follow TechTrib.com. Stay connected and join our fast-growing community.
TechTrib.com is a leading technology news platform providing comprehensive coverage and analysis of tech news, cybersecurity, artificial intelligence, and emerging technology. Visit techtrib.com.
Contact Information: Email: news@techtrib.com or for adverts placement adverts@techtrib.com
About The Author
