Hims & Hers, a telehealth company that sells weight loss drugs and sexual health prescriptions, said that there was a data breach affecting its third-party customer service platform. The company said in a data breach notice filed with the California attorney general’s office on Thursday that the hackers stole data about user requests sent to the company’s customer support team.
According to Hims and Hers, hackers broke into its third-party ticketing system between Feb. 4 and Feb. 7 and stole reams of support tickets, which contained personal information submitted by customers. The data breach notice said the hackers took customer names and contact information, as well as other unspecified personal data that Hims & Hers left redacted in the letter.
The company said that customer medical records were not affected by the breach, however, the nature of the system might mean the data may contain sensitive information about a person’s account, personal information, and healthcare. It is not known how many individuals were affected. California law requires companies to disclose data breaches affecting 500 or more state residents.
READ: Adaption Labs CEO Sara Hooker bargains with hackers after X account is hacked (March 17, 2026)
“Customer medical records were not impacted by this incident, and neither were communications with health care providers on the platform,” the company said, adding that it was now reviewing its policies and procedures to make sure intrusions such as this one don’t happen in the future, and that federal law enforcement was notified. Regulators will be notified, too, if required.
Jake Martin, a spokesperson for Hims & Hers, told TechCrunch in a statement the company was hit by a social engineering attack, in which hackers trick employees into granting access to their systems. The spokesperson said the stolen data “primarily included customer names and email addresses.” The company did not say what specific types of data were taken, when asked by TechCrunch.
The company also did not mention if it received any communication from the hackers, such as a demand for money. No hacking group has claimed responsibility for this attack and the data has not yet appeared in the wild. Information generated by healthcare organizations is usually valuable to criminals, given its potential for abuse in phishing and identity theft attacks.
Customer support and ticketing systems have of late been increasingly targeted by hackers. Financially-motivated hackers have raided databases containing customer information and extorted companies into paying a ransom. Last year, Discord had a data breach that affected its customer support ticketing system and exposed the government-issued IDs of around 70,000 people who had submitted their driver’s licenses and passports to the company to verify their age.