On April 2, 2026, telehealth giant Hims & Hers Health disclosed that hackers breached its third-party customer support platform through a social engineering attack, stealing customer names, email addresses, phone numbers, physical addresses, and treatment categories from support tickets submitted between mid-February 2025 and February 2026. The breach, which occurred between February 4 and 7, 2026, was first detected on February 5 when suspicious activity was flagged on the ticketing system.
Why It Matters
The Hims & Hers breach highlights the acute vulnerability of sexual health data. Unlike a typical e-commerce breach, the stolen information here links real names and addresses to specific sexual health treatment categories — ED, premature ejaculation, sexual wellness — creating potential for targeted embarrassment or extortion. For an industry built on discretion, breaches involving sexual health data carry outsized reputational risk. The incident also underscores that even well-funded telehealth platforms remain vulnerable to basic social engineering, and that third-party customer support vendors represent a persistent weak link in the data security chain. Adding to the company's legal exposure, the Schall Law Firm announced on April 1 that it is separately investigating potential securities fraud, examining whether Hims & Hers issued misleading statements about its compounded drug business amid FDA scrutiny over mass-marketed compounded GLP-1 drugs.The attack targeted two Hims & Hers employees who were tricked into granting access to the system. The company emphasized that its core electronic health records were not compromised — only the third-party customer service platform was affected. However, the stolen support tickets contained sensitive contextual information: customers who wrote in about ED prescriptions, hair loss treatments, or weight management had their treatment categories exposed alongside their personal contact details.
Hims & Hers, which serves over 2.4 million subscribers and reported $872 million in revenue for 2024, disclosed the incident in its 2025 Annual Report filed with the SEC and notified the California Attorney General's Office. Affected individuals are being offered 12 months of complimentary credit monitoring and identity restoration services through Cyberscout, a TransUnion company. Class action attorneys have already begun investigating potential claims.
The breach comes at a particularly sensitive moment for the company. Hims & Hers is in the midst of integrating its $1.15 billion acquisition of Australian telehealth firm Eucalyptus, expanding into Australia, Japan, the UK, Germany, and Canada. The company's stock, which had surged 57% in a single week after the Novo Nordisk GLP-1 partnership in March, dipped on the breach news as investors weighed the reputational and legal exposure.
Sources
- Telehealth giant Hims & Hers says its customer support system was hacked — TechCrunch
- Hims & Hers Data Breach Reported; Attorneys Investigating — ClassAction.org
- HIMS Investors Have Opportunity to Join Fraud Investigation — GlobeNewsWire
Update — 2026-04-03
Initial entry — story first created.