Hims & Hers Warns of Data Breach After Zendesk Support Ticket Breach

Telehealth company Hims & Hers Health has begun notifying customers of a data breach stemming from a compromise of its third-party customer service platform. The company confirmed that support tickets — which can contain sensitive health-related inquiries and personal information — were accessed and exfiltrated by an unauthorized party.

What Happened

The breach originated at a third-party customer support platform, widely reported to be Zendesk-based infrastructure. Threat actors gained access to customer support ticket data, which may include:

• Full names and contact information submitted in support requests
• Order history and account details referenced in tickets
• Health-related information disclosed during telehealth support interactions
• Partial payment or insurance details included in communications

Hims & Hers confirmed it learned of the incident after the unauthorized access was detected and isolated the affected environment. The company has not disclosed the exact number of customers affected.

Third-Party Risk in Telehealth

This breach highlights a persistent challenge in the healthcare and telehealth sector: third-party vendors handling sensitive customer data are often high-value targets for threat actors. Customer support platforms process enormous volumes of personal and medical information, yet may not be subject to the same security controls as the primary healthcare organization.

Under HIPAA and applicable state privacy laws, telehealth companies are required to ensure their business associates — including support platform vendors — maintain appropriate safeguards for protected health information (PHI). A breach at the vendor level can still trigger notification obligations for the covered entity.

Hims & Hers Response

The company stated it:

• Terminated unauthorized access upon discovery of the breach
• Notified affected customers via email with details on what information may have been exposed
• Engaged a third-party security firm to conduct a forensic investigation
• Reviewed its vendor security posture to prevent similar incidents

Customers were advised to remain vigilant against phishing emails that may use their exposed support ticket information to appear legitimate.

Implications for Patients

For individuals who contacted Hims & Hers about sensitive health conditions — including sexual health, hair loss, mental wellness, or weight management services — the exposure of support ticket content could be particularly concerning. Attackers in possession of this data could craft highly targeted spear-phishing campaigns or attempt to leverage the information for extortion.

What You Should Do

If you are a Hims & Hers customer:

1. Watch for phishing emails referencing your specific health inquiries or order history
2. Do not click links in unsolicited emails claiming to be from Hims & Hers
3. Review your account for any unauthorized access or changes
4. Consider placing a fraud alert with credit bureaus if financial information was included in any support tickets
5. Contact Hims & Hers support directly if you believe your data was involved

Broader Context

Third-party breaches affecting customer support platforms are increasingly common. Organizations like Twilio, Okta, and others have previously suffered breaches via their customer-facing support tooling. As telehealth adoption grows, the sensitivity of data flowing through support channels makes them attractive targets.

This incident serves as a reminder that your health data security is only as strong as the weakest vendor in your provider's supply chain.

Source: BleepingComputer