Hims & Hers Reports Breach in Third Party Customer Support Platform

Hims & Hers said it discovered suspicious activity on February 5, 2026, which impacted a third-party customer service platform used by the company for support operations.

What happened

Through an investigation, Hims & Hers found that, between February 4 and February 7, certain tickets sent to the customer service team were accessed or acquired without authorization. After reviewing the affected tickets, the company said it determined on March 3, 2026, that personal information linked to a limited set of individuals was present in that data. According to the notice filed with the California Attorney General, the exposed information may include customer names and contact information, while additional data categories in the letter were redacted from the public filing.

Public records do not say how many people were affected, but the filing confirms the company submitted a California breach notice and lists February 4, 2026, as the breach date. In response, Hims & Hers said it secured the customer service platform, launched an investigation, reviewed the affected tickets to identify impacted individuals, notified federal law enforcement, and said it would notify regulators as required.

What was said

According to the breach notification letter, “On February 5, 2026, Hims & Hers, Inc. (“Hims & Hers”) became aware of suspicious activity affecting our third-party customer service platform. We promptly took steps to secure our customer service platform and initiated an investigation into the nature and scope of the potential security incident. The investigation determined that from February 4, 2026 to February 7, 2026 certain tickets sent to our customer service team were accessed or acquired without authorization.”

Why it matters

The Hims & Hers breach reflects a growing trend in which attackers go after support systems rather than core platforms. Customer service tools often sit outside the main clinical or product environment, but they can still hold a rich mix of names, contact details, account information, and free-text exchanges that reveal sensitive personal context.

Hims & Hers said medical records and provider communications were not affected, but the exposure of support tickets alone can still create real risk. Other breaches provide examples of how these attacks can still be devastating. For instance, in 2023, Okta found that a threat actor accessed files in its support case management system tied to 134 customers and later obtained the names and email addresses of all Okta customer support system users.

Cloudflare said in 2025 that attackers exfiltrated Salesforce case-object data after the Salesloft Drift compromise, and that the stolen records mainly consisted of support tickets and related text fields across an incident affecting hundreds of organizations.

A clear pattern emerges from those cases. Support platforms are no longer side systems with limited value. They have become concentrated stores of identity data, narrative detail, and operational context that can fuel phishing, fraud, extortion, and follow-on attacks.

The big picture

Support platforms, ticketing tools, and other third-party service systems can still contain protected health information or enough personal detail to create privacy, security, and breach-reporting obligations. A help desk exchange about billing, prescriptions, symptoms, appointments, or account access can quickly become a HIPAA issue if that information is created, received, maintained, or transmitted on behalf of a covered entity. Covered entities and business associates, therefore, need to treat support environments with the same seriousness as clinical systems.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Can a company have a data breach even if its main systems were not hacked?

Yes. Attackers often target customer support tools, email accounts, cloud apps, vendors, or file-sharing systems instead of the company’s core platform.

Why are customer support systems a growing breach target?

Support systems often contain names, contact details, account history, attachments, and free-text messages that give attackers useful personal and operational information.

What should a company do after discovering a data breach?

A company should contain the incident, investigate what happened, identify affected individuals, notify regulators where required, and inform impacted individuals.