Telehealth provider Hims & Hers Health is notifying customers of a significant data breach after unauthorized actors accessed its third-party customer service platform. The incident, which targeted support tickets, has raised concerns over the security of personal information within the direct-to-consumer healthcare space.
The company, which generates nearly $1 billion in annual revenue through subscription-based treatments for mental health, hair loss, and weight loss, discovered the intrusion in early February. According to a notification shared with authorities in California, the breach was limited to the company’s customer service interface and did not extend to core medical databases.
The Hims & Hers data breach underscores a growing vulnerability in how modern companies manage customer support via external Software-as-a-Service (SaaS) providers. While the company has moved to secure its systems, the exposure of support tickets can often reveal sensitive context about a user’s health concerns or personal struggles, even if formal medical records remain untouched.
The Timeline of the Intrusion
The security event unfolded over a brief but intense window in February. Based on the company’s internal investigation, the unauthorized access began on February 4 and continued through February 7. Hims & Hers reported that it became aware of “suspicious activity” affecting its third-party customer service platform on February 5.
Following the discovery, the company initiated a forensic review to determine the scope of the theft. By March 3, the investigation concluded that hackers had successfully acquired a number of support tickets. These tickets—the digital logs of conversations between customers and support agents—contained personal information that the company is now working to mitigate.
The exposed data is believed to include names and contact information, along with other unspecified data points tied to the specific support requests submitted by users. In a statement to affected individuals, the company emphasized that no doctor communications or official medical records were compromised during the event.
A ‘Skeleton Key’ Attack: Okta and Zendesk
While the company’s public notifications remain brief, the technical mechanics of the breach point to a sophisticated attack on identity management. The intrusion was reportedly carried out by the ShinyHunters extortion gang, a group known for targeting high-profile corporate databases.
The attackers did not breach the Hims & Hers network directly. Instead, they targeted Okta Single Sign-On (SSO) accounts. For those of us who have worked in software engineering, this is a classic “skeleton key” scenario. SSO is designed to streamline access by allowing a user to log in once to access multiple platforms; however, if the primary SSO account is compromised, the attacker gains an all-access pass to every connected service.
In this instance, the threat actors used a compromised Okta account to pivot into the company’s Zendesk instance—the platform used to manage customer support tickets. Once inside, the attackers were able to exfiltrate millions of support tickets, bypassing traditional perimeter defenses given that they were using legitimate, albeit stolen, credentials.
The Risks of Support Ticket Exposure
There is a common misconception that “non-medical” data is low-risk. However, in the context of telehealth, support tickets are often highly revealing. A customer might email support to inquire about side effects of an ED medication, the pricing of a mental health subscription, or the delivery status of a weight-loss treatment. When this information is paired with names and contact details, it becomes a goldmine for social engineering.
| Detail | Status/Information |
|---|---|
| Primary Vector | Compromised Okta SSO Account |
| Platform Affected | Zendesk (Third-party support) |
| Data Compromised | Names, contact info, support tickets |
| Data Safe | Medical records, doctor communications |
| Threat Actor | ShinyHunters (attributed) |
Industry-Wide Vulnerabilities
The breach at Hims & Hers is not an isolated incident involving Zendesk. The platform has recently been the center of other high-profile security failures. In February, the European DIY chain ManoMano suffered a breach, and in March, the streaming service Crunchyroll investigated a similar incident where hackers claimed to have stolen data from millions of users.
This pattern suggests a systemic risk in how companies integrate SaaS platforms. When a company offloads its customer service to a third party, it essentially extends its trust boundary. If the connection between the company’s identity provider (like Okta) and the service provider (like Zendesk) is not hardened with multi-factor authentication (MFA) or strict conditional access policies, a single compromised credential can lead to a catastrophic data leak.
Next Steps for Affected Customers
Hims & Hers is offering 12 months of free credit monitoring services to all individuals impacted by the breach. While credit monitoring is a standard corporate response, it primarily protects against financial identity theft rather than the more immediate risk of phishing.
Security experts advise customers to remain vigilant against unsolicited communications. Because the stolen data includes support ticket history, attackers can craft highly convincing “spear-phishing” emails. For example, a hacker might send an email referencing a real support ticket the user once opened, making the fraudulent message appear authentic to trick the user into revealing passwords or payment information.
Users are encouraged to:
- Review account statements and credit reports for any unauthorized activity.
- Enable hardware-based MFA (such as YubiKeys) on all sensitive accounts.
- Treat any unexpected email or text from “customer support” with extreme skepticism, especially if it asks for personal verification.
Disclaimer: This article is for informational purposes only and does not constitute legal or professional security advice.
The company has not yet released the final number of impacted customers, though reports suggest the volume of stolen tickets is in the millions. The next confirmed checkpoint will be the company’s updated regulatory filings and further notifications to the California Attorney General’s office as the forensic investigation concludes.
Do you use telehealth services? We want to hear your thoughts on data privacy in the digital health era. Share your experience in the comments below or join the conversation on our social channels.
