Hims & Hers Lost Your Health Data Through a Customer Service Tool—Here's What Was Taken

What Happened

Telehealth company Hims & Hers, which provides prescription treatments for hair loss, sexual health, and mental health, suffered a data breach between February 4 and 7, 2026. The ShinyHunters extortion gang compromised Okta single sign on accounts and used those credentials to access the company's Zendesk customer service platform, where they stole millions of support tickets.

The compromised data includes customer names, contact information, and details related to individual support requests. Hims & Hers stated that "no medical records or doctor communications were compromised in this incident," but support tickets at a telehealth company are not ordinary customer service interactions. They contain questions about prescriptions, treatment plans, and sensitive health conditions.

The Attack Chain

ShinyHunters, a prolific extortion group responsible for breaches at Infinite Campus and other organizations, executed the attack by compromising Okta SSO accounts first. With those credentials, they pivoted into Hims & Hers' Zendesk instance and extracted support ticket data at scale.

This was part of a broader campaign targeting multiple organizations' cloud platforms and SaaS applications through identity provider compromise. By attacking the SSO layer, ShinyHunters gained access to every downstream service those credentials could reach.

Why Health Support Data Is Different

When you contact a bank's support desk, the worst case exposure is financial information. When you contact a telehealth company, you are discussing medications, diagnoses, and personal health decisions. Hims & Hers treats conditions that many customers prefer to keep private, including erectile dysfunction, anxiety, and hair loss.

The company's distinction between "support tickets" and "medical records" is technically accurate but practically misleading. A support ticket asking why a prescription shipment was delayed reveals the prescription. A complaint about side effects reveals the medication. The line between customer service data and health data blurs when the product is healthcare.

The Timeline Problem

The unauthorized access occurred between February 4 and 7. The company detected suspicious activity on February 5. But the investigation did not confirm the breach scope until March 3, nearly a full month later. That gap matters because every day between detection and notification is a day attackers can use the stolen data while victims remain unaware.

Hims & Hers filed a breach notification with California authorities and is offering affected customers 12 months of complimentary credit monitoring. The company has not disclosed exactly how many customers were impacted.

The SaaS Trust Chain

This breach highlights a systemic risk in modern enterprise architecture. Companies store their most sensitive customer interactions in third party SaaS platforms like Zendesk, Intercom, and Freshdesk, then protect access to those platforms through another third party service like Okta or Auth0. Each link in this trust chain is a potential point of failure.

When ShinyHunters compromised Okta credentials, they did not just get access to Zendesk. They potentially gained access to every SaaS tool connected to those accounts. The modern enterprise does not have a perimeter. It has a web of trust relationships, and attackers only need to break one strand.

What to Do If You Are Affected

If you have used Hims & Hers:

1. Change your password on Hims & Hers and any other service where you used the same credentials
2. Watch for targeted phishing that references your health information or past support interactions
3. Take the credit monitoring offer and set up fraud alerts with all three credit bureaus
4. Review your email for suspicious messages. Attackers often use stolen health data to craft convincing social engineering attacks

Healthcare data breaches carry a unique risk: unlike a stolen credit card number, you cannot change your medical history. Information about your health conditions, once exposed, is permanently compromised.