Hims & Hers Health Breach Exposes the Fragile Underbelly of Telehealth’s Data Fortress

Hims & Hers Health disclosed a cyberattack that compromised customer data through a third-party support platform. The breach exposed names, addresses, emails, and order histories — raising serious concerns about telehealth data security and the risks of sensitive health information reaching criminal hands.
Hims & Hers Health Breach Exposes the Fragile Underbelly of Telehealth’s Data Fortress
Written by Eric Hastings

A cyberattack on Hims & Hers Health has compromised customer data through a third-party support platform, raising hard questions about how telehealth companies safeguard the sensitive personal and medical information millions of Americans entrust to them.

The breach, disclosed in a regulatory filing with the U.S. Securities and Exchange Commission, targeted the company’s customer support system — not its core medical infrastructure. But the distinction may offer cold comfort to the customers whose personal information was stolen. Names, addresses, email addresses, and order information were among the data exfiltrated, according to the filing. The company said it doesn’t believe Social Security numbers, payment card details, or medical records were compromised.

Hims & Hers, the publicly traded telehealth and wellness company known for its direct-to-consumer prescriptions for hair loss, erectile dysfunction, weight loss, and mental health treatments, confirmed the incident but has been measured in its public statements. As TechRadar reported, the company stated it “identified unauthorized access to a third-party customer support platform” and immediately took steps to contain the incident, including disabling the compromised system and launching an investigation with outside cybersecurity experts.

That third-party vector is the critical detail here. It’s a pattern that has repeated itself across healthcare, finance, and retail over the past several years: attackers don’t need to breach the castle if they can slip in through the servant’s entrance.

The Third-Party Problem That Won’t Go Away

The Hims & Hers incident lands in an environment where third-party vendor breaches have become one of the most persistent and damaging threat vectors in cybersecurity. The MOVEit Transfer hack in 2023, the SolarWinds supply chain attack in 2020, and countless smaller incidents have demonstrated that organizations are only as secure as their weakest vendor relationship. Customer support platforms, which by their nature require access to personal data to function, represent an especially attractive target.

Healthcare data is a prized commodity on dark web marketplaces. Medical records can sell for $250 or more per record — far more than credit card numbers — because they contain a rich combination of personal identifiers useful for insurance fraud, prescription fraud, and identity theft. Even the subset of data stolen in the Hims & Hers breach — names, addresses, emails, and order histories — carries significant value. A customer’s order history from a telehealth company specializing in treatments for sensitive health conditions creates obvious potential for targeted phishing, extortion, or social engineering.

And that’s the part that should worry customers most.

Someone who ordered weight-loss medication or erectile dysfunction treatment through Hims & Hers may not want that information in the hands of criminals. The stigma surrounding certain health conditions creates an asymmetric risk: the data’s blackmail value exceeds its raw identity-theft utility. We’ve seen this playbook before. In 2015, the Ashley Madison breach led to suicides after hackers published user data from the extramarital dating site. The Vastaamo psychotherapy center breach in Finland in 2020 saw attackers directly extort individual patients, threatening to publish therapy session notes.

Hims & Hers has not indicated any evidence of extortion attempts. But the company’s SEC filing language — carefully worded, as these disclosures always are — leaves room for the investigation to uncover additional compromised data categories as forensic analysis continues.

The company said it has notified affected customers and is offering credit monitoring services, a standard response that has become almost reflexive in the wake of data breaches. Whether those measures are proportionate to the actual risk depends on factors the company hasn’t fully disclosed, including exactly how many customers were affected.

A Growing Target on Telehealth’s Back

Hims & Hers went public via a SPAC merger in 2021 and has grown rapidly since, reporting revenue of $872 million in 2023. The company serves millions of subscribers across the United States, many of whom share detailed health questionnaires, prescription information, and payment data through its platform. That growth has made it — and companies like it — a magnet for threat actors.

The telehealth sector expanded dramatically during the COVID-19 pandemic and hasn’t contracted. Companies like Hims & Hers, Ro, Cerebral, and Done operate in a space where convenience is the core value proposition. Customers expect fast, frictionless interactions. That expectation creates tension with security requirements, which inherently add friction. Multi-factor authentication, strict access controls on support platforms, and zero-trust architectures all slow things down. The question for telehealth companies is whether they’ve invested adequately in security infrastructure to match the pace of their customer acquisition.

The broader healthcare sector has been battered by cyberattacks. The Change Healthcare breach in early 2024, which disrupted insurance claims processing across the entire U.S. healthcare system, was a watershed moment. UnitedHealth Group ultimately acknowledged that data from roughly 100 million individuals may have been affected. Ascension Health, one of the nation’s largest hospital systems, suffered a ransomware attack that forced facilities to divert ambulances and revert to paper records. Against that backdrop, the Hims & Hers breach is smaller in scale. But it’s part of the same accelerating trend.

According to the U.S. Department of Health and Human Services’ breach portal, healthcare data breaches affecting 500 or more individuals have been reported at a rate of roughly two per day in 2024 and 2025. The sector is under siege, and telehealth companies — which store sensitive data but often lack the mature security operations of large hospital systems or insurers — represent a growing share of the target surface.

Hims & Hers’ stock (NYSE: HIMS) has been volatile in recent months for reasons unrelated to the breach, including regulatory uncertainty around compounded GLP-1 weight loss drugs like semaglutide, which have been a significant revenue driver. The cyberattack adds another layer of risk. Investors will be watching for any indication that the breach’s scope was larger than initially reported — a common pattern in cyber incidents, where initial disclosures often understate the damage.

The SEC’s cybersecurity disclosure rules, which took effect in December 2023, require public companies to report material cybersecurity incidents within four business days of determining materiality. Hims & Hers’ filing suggests the company assessed this breach as meeting that threshold, which in itself signals the company views the incident as significant to investors.

What Comes Next

Several open questions remain. The company hasn’t named the third-party customer support vendor involved in the breach. That matters because other companies likely use the same platform, meaning additional disclosures from other organizations could follow. If the attack exploited a vulnerability in the vendor’s software rather than stolen credentials specific to Hims & Hers, the blast radius could extend well beyond one company.

Hims & Hers also hasn’t disclosed the precise number of affected individuals, the timeline of the unauthorized access, or whether any health-related data beyond order information was exposed. Order data from a telehealth pharmacy is inherently health-related — knowing someone ordered finasteride or sildenafil or semaglutide reveals medical information even if the formal medical record wasn’t breached.

So where does this leave customers? In the familiar, frustrating position of monitoring credit reports, changing passwords, and watching their inboxes for phishing attempts that use their stolen data to appear legitimate. The credit monitoring offer is a gesture, but it doesn’t address the specific risks created by exposure of health-related purchasing data.

For the telehealth industry more broadly, the breach is another data point in an argument that regulators, patients, and investors are increasingly making: that the sector needs to treat cybersecurity not as a cost center but as a core operational requirement. The convenience that drives telehealth adoption is also the vulnerability that attackers exploit. Building security into customer-facing systems — including the third-party tools that handle the messy, human work of customer support — isn’t optional anymore.

It never was. But breaches like this one make the cost of underinvestment impossible to ignore.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us