Hims & Hers said a “sophisticated social engineering attack” in February led to limited access on its third-party customer service platform, but the company said its electronic medical record system was not reached. The telehealth firm disclosed the incident in regulatory filings and said the attackers primarily accessed customer names and email addresses.
The company said the unusual activity involved unauthorized access to service tickets between Feb. 4 and Feb. 7. Hims & Hers detected the activity on Feb. 5, secured the customer service environment, and began an investigation.
What Hims & Hers said was accessed
According to the company, the breach was contained to a customer service software platform that relied on a third-party provider. A spokesperson told Cybersecurity Dive that “our electronic medical record and communications with healthcare providers on our platform were not accessed.”
The filing with the California Attorney General’s office said customer medical records were not accessed and healthcare-provider communications were also not exposed. The company added that the data seen by the unauthorized party was mostly limited to names and email addresses.
Scope of the incident remained narrow
Hims & Hers said the attack targeted two employees, according to its Feb. 22 10-K filing with the U.S. Securities and Exchange Commission. The company also said the hackers may have viewed some treatment information tied to certain customers who contacted customer service through the online platform.
A simple breakdown of the disclosed impact is below:
- Access was limited to a third-party customer service system.
- Electronic medical records were not accessed.
- Provider communications were not accessed.
- Customer names and email addresses were primarily exposed.
- Some treatment information may have been viewed for certain support cases.
Response and regulatory reporting
The company said it notified law enforcement and reviewed its internal policies and procedures after the incident. It also said it took steps to secure the customer service environment soon after discovering the suspicious activity.
Regulatory disclosures suggest the company moved quickly to contain the problem, but the incident still highlights the risk created when sensitive health-related companies rely on outside service platforms. Even if core medical systems stay protected, attackers can still reach personal data through support tools and employee accounts.
Why the breach matters
Hims & Hers serves about 2.5 million subscribers and has grown into a major provider of health treatments and wellness products. The company recently announced an agreement with Novo Nordisk to offer FDA-approved weight-loss medications with medical support, making data protection especially important as its platform handles more consumer health interactions.
The company told regulators that it does not expect the incident to have a material impact on financial performance. That view may reassure investors in the short term, but consumer trust often depends on how clearly a company explains what was exposed and how it strengthens controls after an attack.
What users should watch for
Customers affected by service-platform incidents often face phishing risks even when medical records are not stolen. The following warning signs are worth monitoring:
- Unexpected emails asking for login credentials or payment details.
- Messages that reference health or support history to appear legitimate.
- Account activity that includes password resets or unfamiliar logins.
- Requests to confirm personal information through links in emails or texts.
Hims & Hers has not said the incident affected its core clinical systems, but the disclosure shows how social engineering can exploit the weakest link in a digital health operation. As the company continues its review, the focus will likely remain on third-party access controls, employee verification procedures, and how much customer information is kept in support tools.
Read more at: www.cybersecuritydive.com-
-
-
-
