Hims & Hers discloses customer support breach tied to social engineering

Telehealth support data is the latest target

Hims & Hers has disclosed a data breach affecting its third-party customer service platform, adding another case to a growing pattern in which attackers target support and ticketing systems rather than core production infrastructure. According to the company’s filing, hackers gained access to the external ticketing environment between February 4 and February 7 and stole customer support records.

The company said the stolen material included customer names and contact information, along with other personal data submitted through support requests. Hims & Hers said medical records were not affected, but that assurance only narrows the scope of the incident rather than eliminating its sensitivity. Customer support systems often contain the kinds of details users share when they are trying to solve account, billing, prescription, or identity problems. In healthcare-adjacent services, that can still amount to deeply personal information.

What the company disclosed

The breach notice filed with California authorities states that attackers accessed a third-party ticketing system and exfiltrated support-ticket data. The company has not publicly said how many people were affected. Under California law, public disclosure is required for breaches involving 500 or more state residents, which establishes a floor for seriousness even if the total count remains unknown.

A company spokesperson told TechCrunch the incident was caused by social engineering. That matters because it suggests the intrusion did not necessarily depend on a software vulnerability. Instead, the attackers are said to have tricked employees into granting access. In practical terms, that puts the focus on process controls, identity verification, and how much access a vendor environment can expose when human trust is exploited.

The company also said the stolen information primarily included names and email addresses. At the same time, the report notes that support tickets may contain broader personal details, and the company did not specify every category of data taken. That leaves affected users with an incomplete picture of exposure.

Why support systems keep getting hit

The Hims & Hers incident fits a wider trend identified in the source report: customer support and ticketing systems have become attractive targets for financially motivated attackers. These platforms concentrate high-value personal data in a place that is often operationally critical but sometimes less scrutinized than patient records, payment systems, or production databases.

The risk is structural. Support teams are designed to solve problems quickly, which means they handle edge cases, identity disputes, account access issues, and free-form customer explanations. That can produce records that are more revealing than a simple profile table. When those systems are operated by third parties, the attack surface expands further.

The concern is especially sharp in telehealth. Hims & Hers sells weight-loss drugs and sexual health prescriptions, so even seemingly routine customer service conversations can imply medical interests or treatment contexts. The company says medical records were not compromised, but in privacy terms the distinction between formal health records and support narratives may not feel especially reassuring to customers.

A breach with regulatory and reputational stakes

For Hims & Hers, the next challenge is not only technical remediation. It is also trust repair. Consumer healthcare brands depend on discretion, and users may judge them by the total experience of handling sensitive information, not by internal distinctions between one database and another.

The incident is also a reminder that disclosure quality matters. When a company says some personal data was taken but leaves parts of the description redacted or unspecified, the uncertainty itself becomes part of the damage. Users are left to assume the worst until more detail emerges.

The broader lesson is already clear. As companies outsource customer operations and stitch together vendor-heavy service stacks, support systems are becoming one of the most important security fronts in consumer technology and digital health. This breach did not involve the company’s core medical records, according to the disclosure. But it still shows how much sensitive exposure can accumulate in the ordinary machinery of helping customers.

This article is based on reporting by TechCrunch. Read the original article.