The Hims and Hers data breach represents a significant security failure at one of America’s largest telehealth providers, exposing customer support records through a compromised third-party system. Between February 4 and February 7, 2026, hackers broke into the company’s customer support ticketing platform and stole support tickets containing personal information from at least 500 customers. The company did not disclose the incident publicly until April 2, 2026, nearly two months after discovering suspicious activity on February 5.
Key Takeaways
- Hims and Hers data breach occurred February 4-7, 2026, targeting a third-party customer support system.
- Stolen data included customer names, email addresses, and other unspecified personal information from support tickets.
- Company disclosed breach on April 2, 2026, almost two months after becoming aware of the attack.
- At least 500 California residents affected; exact total number of impacted customers remains unknown.
- Attack used social engineering to trick employees into granting unauthorized access to the system.
How the Hims and Hers Data Breach Unfolded
The Hims and Hers data breach began when hackers used social engineering tactics to manipulate company employees into providing access to a third-party customer support ticketing system. This approach—tricking staff rather than exploiting software vulnerabilities—proved devastatingly effective. Once inside, attackers extracted support tickets containing customer names, contact information primarily in the form of email addresses, and other personal data. The company detected suspicious activity on February 5, just one day into the breach window, but the full scope of the compromise remained unclear for weeks.
What makes this breach particularly concerning is the nature of the compromised data. Support tickets for a telehealth provider like Hims and Hers often contain sensitive healthcare-related information, account details, and personal disclosures made during customer service interactions. Even though the company claims customer medical records stored in its main systems were not accessed, the support tickets themselves could expose users to identity theft, targeted phishing, or other follow-on attacks.
Why the Hims and Hers Data Breach Matters for Telehealth Security
Telehealth platforms like Hims and Hers are prime targets for cybercriminals because medical data commands significantly higher prices on dark web markets than financial records, selling for 10 to 50 times more. This economic incentive drives attackers to focus on healthcare providers, making the Hims and Hers data breach part of a troubling trend. The two-month gap between discovery and disclosure raises additional red flags about the company’s incident response procedures and whether customers received timely notification to change passwords or monitor accounts.
The use of social engineering as the attack vector also highlights a persistent vulnerability in corporate security. No firewall or encryption can prevent employees from being tricked into handing over credentials or access. This method bypasses technical defenses entirely, making it a favorite tactic among sophisticated threat actors targeting high-value targets like healthcare firms.
What Information Was Stolen in the Hims and Hers Data Breach?
Company spokesperson Jake Martin confirmed that the stolen data primarily included customer names and email addresses, but declined to specify what other personal information was compromised. This vagueness is troubling. Support tickets routinely contain phone numbers, home addresses, payment information, prescription details, and medical history—any of which could be weaponized by attackers. The company’s breach notice filed with the California Attorney General’s office also redacted unspecified personal data details, leaving customers and security researchers without a complete picture of what was exposed.
At least 500 California residents were affected, as required by state law to trigger disclosure obligations. However, the actual number of impacted customers could be substantially higher. The company has not publicly stated whether the breach extended beyond California or how many total customers were affected by the Hims and Hers data breach.
The Delayed Disclosure Problem
The Hims and Hers data breach was discovered on February 5, 2026, but not disclosed publicly until April 2, 2026—a gap of nearly 57 days. During this window, affected customers had no way to know their information was compromised, leaving them vulnerable to follow-up attacks. While companies do need time to investigate breaches and notify regulators, this timeline pushes the boundaries of reasonable response procedures. Customers expect notification within weeks, not months, especially when personal information and healthcare data are involved.
What Should Hims and Hers Customers Do Now?
If you are a Hims and Hers customer, monitor your email accounts for suspicious activity and phishing attempts. Attackers often use stolen email addresses to craft targeted scams. Change your password on the Hims and Hers platform immediately if you have not already done so. Consider placing a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion) to make it harder for criminals to open accounts in your name. Watch your financial statements and credit reports for unauthorized activity. If you provided sensitive information through customer support—such as payment details or medical history—be especially vigilant.
Is Hims and Hers customer medical data at risk from this breach?
The company states that customer medical records stored in its primary systems were not affected by the Hims and Hers data breach. However, the stolen support tickets may contain health-related information disclosed during customer service interactions, so some medical details could be exposed even if formal medical records were not accessed.
How common are data breaches in the telehealth industry?
Telehealth platforms face constant cyber threats because they hold valuable medical and financial data. The Hims and Hers data breach adds to a growing list of healthcare firms hit by major security incidents in recent years, reflecting both the attractiveness of healthcare data to criminals and persistent gaps in security practices across the sector.
Will there be a class action lawsuit over the Hims and Hers data breach?
Class action lawsuits often follow major data breaches involving personal information. While none has been announced yet, customers affected by the Hims and Hers data breach may have grounds to pursue legal action, particularly given the two-month notification delay and the sensitive nature of telehealth data.
The Hims and Hers data breach is a stark reminder that no company—regardless of size or industry—is immune to cyberattacks. What separates a manageable incident from a catastrophic one is transparency, speed of response, and investment in security culture. The company’s reliance on social engineering as the attack vector underscores the reality that technical defenses alone are insufficient; employee training and access controls matter just as much. For customers, the breach should prompt immediate action to secure accounts and monitor for fraud.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
