On April 2, 2026, telehealth giant Hims & Hers Health disclosed that hackers breached its third-party customer support platform through a social engineering attack, stealing customer names, email addresses, phone numbers, physical addresses, and treatment categories from support tickets submitted between mid-February 2025 and February 2026. The breach, which occurred between February 4 and 7, 2026, was first detected on February 5 when suspicious activity was flagged on the ticketing system.
Why It Matters
The Hims & Hers breach highlights the acute vulnerability of sexual health data. Unlike a typical e-commerce breach, the stolen information here links real names and addresses to specific sexual health treatment categories — ED, premature ejaculation, sexual wellness — creating potential for targeted embarrassment or extortion. For an industry built on discretion, breaches involving sexual health data carry outsized reputational risk. The incident also underscores that even well-funded telehealth platforms remain vulnerable to basic social engineering, and that third-party customer support vendors represent a persistent weak link in the data security chain. Adding to the company's legal exposure, the Schall Law Firm announced on April 1 that it is separately investigating potential securities fraud, examining whether Hims & Hers issued misleading statements about its compounded drug business amid FDA scrutiny over mass-marketed compounded GLP-1 drugs.The attack targeted two Hims & Hers employees who were tricked into granting access to the system. The company emphasized that its core electronic health records were not compromised — only the third-party customer service platform was affected. However, the stolen support tickets contained sensitive contextual information: customers who wrote in about ED prescriptions, hair loss treatments, or weight management had their treatment categories exposed alongside their personal contact details.
Hims & Hers, which serves over 2.4 million subscribers and reported $872 million in revenue for 2024, disclosed the incident in its 2025 Annual Report filed with the SEC and notified the California Attorney General's Office. Affected individuals are being offered 12 months of complimentary credit monitoring and identity restoration services through Cyberscout, a TransUnion company. Class action attorneys have already begun investigating potential claims.
The breach comes at a particularly sensitive moment for the company. Hims & Hers is in the midst of integrating its $1.15 billion acquisition of Australian telehealth firm Eucalyptus, expanding into Australia, Japan, the UK, Germany, and Canada. The company's stock, which had surged 57% in a single week after the Novo Nordisk GLP-1 partnership in March, dipped on the breach news as investors weighed the reputational and legal exposure.
Sources
- Telehealth giant Hims & Hers says its customer support system was hacked — TechCrunch
- Hims & Hers Data Breach Reported; Attorneys Investigating — ClassAction.org
- HIMS Investors Have Opportunity to Join Fraud Investigation — GlobeNewsWire
Update — 2026-04-03
Initial entry — story first created.
Update — 2026-04-04
The legal machinery is ramping up. On April 3, national plaintiffs' firm Edelson Lechtzin LLP issued a formal press release announcing its investigation into a potential class action on behalf of individuals whose personal data was compromised in the breach. The firm is seeking to establish liability for Hims & Hers' failure to protect sensitive customer information handled through its third-party support platform. Separately, privacy advocacy site PrivacyGuides included the Hims & Hers incident in its weekly "Data Breach Roundup" for March 27–April 2, broadening public awareness of the breach beyond healthcare trade media.
The company is offering affected individuals 12 months of complimentary credit monitoring and identity restoration services through Cyberscout, a TransUnion subsidiary. However, given that the stolen data includes treatment categories linking real identities to sexual health conditions — ED, hair loss, weight management — the exposure risk extends beyond financial fraud into potential personal embarrassment or targeted harassment, a dimension standard credit monitoring does not address. With the Schall Law Firm's securities fraud investigation (announced April 1) running in parallel, Hims & Hers now faces legal exposure on two distinct fronts: data privacy liability and investor misleading allegations.
New Sources
- Data Breach Alert: Edelson Lechtzin LLP Investigates Hims & Hers, Inc. Data Breach — PR Newswire
- Data Breach Roundup (Mar 27 - Apr 2, 2026) — PrivacyGuides
Update — 2026-04-08
The ShinyHunters connection is now confirmed and the legal exposure is widening. Malwarebytes reported on April 7 that the ShinyHunters extortion gang was behind the breach, compromising single sign-on (SSO) accounts through social engineering by impersonating IT support and tricking two employees into entering credentials. Consumer notification letters were dated April 2, with Hims & Hers offering 12 months of complimentary credit monitoring through Cyberscout (TransUnion). The breach affected support tickets submitted between mid-February 2025 and February 2026, exposing names, contact information, and treatment categories — though medical records and provider communications were not compromised. Bryson Harris Suciu & DeMay PLLC has joined Edelson Lechtzin LLP in investigating potential class actions. Meanwhile, HIMS stock rebounded 5.96% on April 6 as investors refocused on growth outlook, buoyed by the Novo Nordisk GLP-1 partnership and FDA easing of restrictions on compounded peptides — suggesting the market views the breach as a manageable bump rather than an existential threat.