A data breach at Hims & Hers, a major telehealth platform, has exposed some of the most sensitive categories of patient health information possible — not clinical records, but something arguably more personal: what conditions patients are seeking treatment for.
The breach, disclosed in April 2026, affected an unknown number of customers who used Hims & Hers' customer support system between mid-February 2025 and February 7, 2026.
What Happened
The threat group ShinyHunters exploited compromised Okta SSO credentials to gain unauthorized access to Hims & Hers' Zendesk customer support instance — a third-party platform the company uses to manage patient support tickets.
The breach window ran from February 4 to 7, 2026, during which attackers exfiltrated support ticket data spanning the previous year. The Zendesk platform contained records from patient communications requesting help with their telehealth subscriptions and treatments.
What Was Exposed
Hims & Hers confirmed the following categories of information were accessible to the attackers:
- Full names
- Email addresses
- Phone numbers
- Physical mailing addresses
- Treatment category information — the specific health conditions patients were seeking help for
That last category is where the sensitivity spikes. Hims & Hers provides telehealth services for conditions including:
- Erectile dysfunction
- Hair loss
- Weight loss
- Mental health (anxiety, depression)
- Skincare and dermatology
Knowing which of these categories a patient is associated with is enough to cause significant harm — from targeted blackmail and phishing to social stigma and insurance discrimination.
Hims & Hers stated that actual medical records, prescriptions, and clinical notes were not accessed through the Zendesk breach. However, the exposure of treatment categories still constitutes a material privacy violation for affected patients.
Why This Breach Is Different
Most healthcare data breaches target databases containing full Electronic Health Records (EHRs) — lab results, diagnoses, prescriptions. The Hims & Hers breach is a reminder that support ticket platforms contain a different kind of sensitive data: the informal, unstructured conversations patients have when they have problems with their care.
A patient who contacts support about their hair loss medication, or who asks a question about dosing for their ED prescription, may not think twice about what they're sharing with a customer service agent. But that interaction, stored in a support ticket, now represents a record of their health condition — one that sat outside the protected perimeter of clinical systems.
Telehealth platforms in particular aggregate enormous amounts of this informal PHI precisely because their patient populations are seeking care for stigmatized conditions that they might not discuss with a traditional in-person provider.
ShinyHunters and the Zendesk Attack Pattern
ShinyHunters is a well-documented threat group with a history of large-scale data theft operations. Their exploitation of the Hims & Hers Zendesk instance follows a pattern the group has used repeatedly: targeting third-party SaaS platforms rather than primary databases.
Customer support platforms like Zendesk, Salesforce Service Cloud, and similar tools are attractive targets because:
- They aggregate customer data from multiple systems in one place
- They are often secured by SSO credentials rather than dedicated multi-factor authentication
- Organizations frequently under-invest in monitoring these platforms compared to core infrastructure
- A single compromised Okta credential can unlock access to a broad dataset
ShinyHunters has been linked to breaches of Telus Digital, Salesforce Aura environments, and multiple healthcare and retail platforms using similar Okta SSO exploitation chains.
Company Response
Hims & Hers notified affected customers and reported the breach to regulators including the California Attorney General. The company offered 12-month complimentary credit monitoring and identity theft protection services to all affected individuals.
The company emphasized that clinical records and prescription data remained secure within their healthcare platform, and that the breach was limited to support ticket communications handled through the third-party Zendesk instance.
What Patients Should Do
If you are or were a Hims & Hers customer and used their support platform between February 2025 and February 2026:
- Enroll in the credit monitoring offered by the company
- Be alert for targeted phishing — attackers who know your email, phone number, and treatment category may craft convincing lures
- Enable MFA everywhere — if any account shares credentials with your Hims & Hers login, change those passwords and enable two-factor authentication
- Monitor for extortion attempts — the sensitivity of the exposed data means some threat actors may attempt direct contact threatening to expose treatment information
Key Takeaways
- ShinyHunters breached Hims & Hers' Zendesk customer support platform using compromised Okta SSO credentials (Feb 4-7, 2026)
- Exposed data includes names, contact details, and treatment category information — what conditions patients were seeking telehealth help for (ED, hair loss, mental health, weight loss)
- Actual medical records and prescriptions were not accessed through this breach
- This follows a pattern of ShinyHunters targeting third-party SaaS support platforms rather than primary healthcare databases
- Hims & Hers is offering 12-month credit monitoring to affected customers and has notified regulators
Source: Dark Reading