Telehealth giant Hims & Hers says its customer support system was hacked

Hims & Hers, a prominent telehealth company specializing in weight-loss medications and sexual health prescriptions, has disclosed a security incident that compromised its third-party customer service platform.

According to a data breach notification filed with the California attorney general's office on Thursday, the healthcare provider confirmed that unauthorized actors gained access to its customer support ticketing system. The incident occurred between February 4 and February 7, during which attackers extracted substantial volumes of support ticket data containing customers' personal information.

The breach notification indicates that compromised data included customer names and contact details, along with additional personal information that Hims & Hers has chosen to redact from public disclosure. While the company has stated that customer medical records remained unaffected by the incident, the nature of customer support systems suggests that the exposed data could potentially include sensitive account information and healthcare-related communications.

The exact number of affected individuals remains undisclosed. California state law mandates public notification of data breaches when 500 or more state residents are impacted.

Jake Martin, a Hims & Hers spokesperson, confirmed to TechCrunch that the company fell victim to a social engineering attack, a cybercrime technique where attackers manipulate employees into providing system access. The spokesperson characterized the compromised information as "primarily included customer names and email addresses," though specific data categories were not detailed when requested for clarification.

The company has not disclosed whether it has received any direct communication from the attackers, including potential ransom demands.

This incident reflects a broader trend targeting customer support and ticketing systems, which have emerged as attractive targets for cybercriminals seeking access to customer databases for extortion purposes. The healthcare and technology sectors have experienced several high-profile examples of such attacks.

Notably, Discord experienced a similar breach last year when attackers compromised its customer support ticketing system, resulting in the exposure of government-issued identification documents from approximately 70,000 users who had submitted driver's licenses and passports for age verification purposes.