Telehealth Giant Hims Hit By Data Breach Exposing Medical Records

Telehealth company Hims & Hers Health has confirmed a data breach that exposed some of the most sensitive categories of personal information a company can hold: Protected Health Information (PHI). The breach occurred after threat actors gained unauthorized access to a third-party customer support platform used by the company. Exposed data included information contained in customer support tickets, which in a telehealth context means details tied to prescriptions, medical consultations, and personal health conditions.

The hacker group ShinyHunters has claimed responsibility for the attack. The group is well known in cybersecurity circles for large-scale data theft operations and has been linked to several high-profile breaches in recent years. Their involvement raises immediate concerns about what happens to the stolen data next, including the potential for extortion, resale on dark web markets, or targeted phishing campaigns against affected users.

Why Third-Party Vendors Are a Weak Link in Healthcare Security

One of the most important details in this breach is where it happened: not inside Hims' core infrastructure, but through a third-party customer support platform. This is a pattern that has become increasingly common and increasingly consequential.

Large companies routinely outsource functions like customer support, billing, and data storage to specialized vendors. Each of those vendors becomes an extension of the company's attack surface. When a user signs up for a telehealth service, they are not just trusting that company with their data. They are also trusting every vendor, contractor, and software provider that company works with.

This is particularly problematic in healthcare. Under U.S. law, companies handling PHI are required to ensure their business associates and vendors meet HIPAA compliance standards. But compliance on paper does not always translate into effective real-world security. A well-resourced company like Hims can invest heavily in its own defenses while remaining exposed through a vendor with weaker controls.

The Hims breach is not an isolated case. Healthcare and telehealth companies have become prime targets precisely because the data they hold is so valuable. Medical records fetch significantly higher prices on criminal markets than credit card numbers, because they contain information that cannot be easily changed and can be used for insurance fraud, identity theft, and targeted social engineering.

What This Means For You

If you are a Hims or Hims & Hers customer, you should assume that information you shared through customer support channels may have been exposed. This could include your name, contact details, and details about medical consultations or prescriptions you have discussed with the support team.

More broadly, this breach is a useful reminder of the risks that come with storing sensitive personal information in centralized systems. Telehealth platforms are built around convenience, and that convenience often means consolidating your health data in ways that create attractive targets for attackers. The more data a company holds, and the more vendors it shares that data with, the larger the potential blast radius when something goes wrong.

This does not mean you should avoid telehealth services. For many people, they provide access to care that would otherwise be difficult or expensive to obtain. But it does mean you should think carefully about what information you share through any digital health platform, including through support tickets and chat functions, which may be stored and processed outside the company's primary systems.

Actionable Steps After a Health Data Breach

If you use Hims & Hers or a similar telehealth platform, here are some concrete steps worth taking right now:

  • Monitor for phishing attempts. Attackers who obtain health-related data often use it to craft highly convincing phishing messages. Be skeptical of any unsolicited emails or messages that reference your health conditions, medications, or previous interactions with the platform.
  • Check your accounts. Review your Hims account and any linked payment methods for unusual activity. Report anything suspicious to both the platform and your financial institution.
  • Watch for identity fraud. Medical identity theft, where someone uses your information to fraudulently obtain prescriptions or insurance benefits, can be difficult to detect. Consider placing a fraud alert with the major credit bureaus and monitoring your insurance statements for services you did not receive.
  • Limit what you share in support tickets. Going forward, be mindful that customer support channels at any company may be handled by third-party vendors with their own security posture. Avoid sharing more detail than is strictly necessary.
  • Stay informed about the breach. Watch for official communications from Hims about the scope of the incident and any remediation steps they offer, such as credit monitoring services.

Data breaches at healthcare companies are not going away. As more health services move online, the amount of sensitive medical data held by digital platforms will only grow. Being a careful and informed user of these services is one of the most effective defenses available to ordinary people. Understanding who holds your data, and what they do with it, is a reasonable starting point for protecting yourself.