Hims & Hers confirms limited data taken in social attack
What happens when a phishing-style trap hits a large telehealth provider? The Hims breach revealed that even trusted support systems can be an entry point. Hims & Hers, a San Francisco-based telehealth company, said it was struck by a sophisticated social engineering attack in February that led to unauthorized access on a third-party customer service platform.
Company filings noted that an unknown party gained access to service tickets between Feb. 4 and Feb. 7, and that the firm discovered the suspicious activity on Feb. 5. The filing Thursday with the California Attorney General’s office said Hims & Hers immediately took steps to secure its customer service environment and opened an investigation.
A company spokesperson said, “We have confirmed that our electronic medical record and communications with healthcare providers on our platform were not accessed,” and added, “Third-party access was limited to our customer service software platform, and data accessed primarily included customer names and email addresses.” The duo of statements aims to reassure users that core medical systems remained intact despite the intrusion.
The firm, which has about 2.5 million subscribers, is a major provider of health treatments and wellness products. Just last month, the company announced an agreement with Novo Nordisk to offer FDA-approved weight-loss medications with medical support. The filing reiterated that customer medical records and communications with healthcare providers were not accessed during the incident.
Now the company needs to show it can shore up vendor controls and communications quickly. The Hims breach demands a clear plan for both remediation and public confidence.
Officials said they have notified law enforcement and are reviewing internal policies to cut down on the chance of recurrence. The social engineering attack targeted two employees, the company disclosed in its Feb. 22 10-K filing. According to that report, the hackers may have gained access to some treatment information for certain customers who contacted the company’s customer service department through the online platform between February 2025 and February 2026.
Hims & Hers officials told US News Hub Misryoum that they do not expect the incident to have a material impact on the company’s financial performance. Still, the episode illustrates how third-party platforms can amplify risk for even well-known brands. As regulators and partners press for stronger safeguards, the Hims security incident and Hims hack synonyms reflect different ways stakeholders will refer to the same vulnerability. The company now faces both technical fixes and the task of reassuring its subscriber base about future protections.