Hims & Hers Health Data Breach (April 2026): Support Tickets Exposed in Social Engineering Attack

Hims & Hers Health data breach exposed customer support tickets in a sophisticated social engineering attack—read the full timeline, what was leaked, and why every telehealth user should care right now on Teckupwave.

TeckUpWave Team

4/18/20264 min read

Hims & Hers Health Data Breach (April 2026): Full Timeline, What Was Exposed, and Why Telehealth Users Should Pay Attention.

By the Teckupwave Team | April 18, 2026

In the fast-growing world of direct-to-consumer telehealth, Hims & Hers Health, Inc. has become a household name. With roughly 2.5 million subscribers relying on the platform for everything from hair loss treatments and skincare to weight-loss medications and sexual health prescriptions, the company handles deeply personal health data every day.

But in early April 2026, Hims & Hers quietly began notifying a limited group of customers about a data breach that exposed customer support tickets. The incident, which stemmed from a sophisticated social engineering attack on a third-party platform, has sparked concern among privacy advocates and triggered class-action investigations. Here’s the complete story, straight from official notifications, regulatory filings, and cybersecurity reporting.

What Happened: The Breach Timeline

  • February 4–7, 2026: Unauthorized access occurred. Attackers gained entry to Hims & Hers’ third-party customer service platform (widely reported as Zendesk) and accessed or acquired certain support tickets. Reports indicate the breach involved social engineering that compromised Okta single sign-on (SSO) credentials belonging to employees, allowing the intruders to move laterally into the support system. Some sources link the activity to the ShinyHunters extortion group.

  • February 5, 2026: Hims & Hers detected suspicious activity and immediately secured the platform.

  • March 3, 2026: After a full review of the affected tickets, the company confirmed that personal information belonging to a limited set of individuals had been exposed.

  • April 2, 2026: Notification letters began going out to impacted customers. The company filed details with the California Attorney General’s office, triggering public awareness of the incident in early April.

The breach window was short—just four days—but the support tickets contained more than basic contact details. Customers who reached out to support between mid-February 2025 and February 2026 may have had their queries, order information, treatment categories, and general correspondence exposed.

What Data Was (and Wasn’t) Compromised

According to the official breach notification letter sent to affected individuals:

  • Exposed: Full names, contact information (email addresses, phone numbers, physical mailing addresses), and other details contained in the support tickets, including order-related information and general customer correspondence.

  • NOT Exposed: Customer medical records, electronic health records (EHR), or any direct communications with licensed healthcare providers on the Hims & Hers platform. The company has repeatedly emphasized that its core electronic medical record systems remained untouched.

While this wasn’t a full-scale compromise of sensitive clinical data, support tickets in telehealth often reveal highly personal context—questions about prescriptions, side effects, or account issues tied to intimate health concerns. That context makes the breach more than a simple “name and email” incident.

Exact numbers of affected customers have not been publicly disclosed. Hims & Hers described it as a “limited set,” and California law only requires notification for breaches impacting 500 or more state residents, so the total is likely in that range or higher—but nowhere near the company’s full 2.5 million subscriber base.

Hims & Hers’ Response

The company acted quickly once suspicious activity was flagged:

  • Secured the customer service platform immediately.

  • Launched a forensic investigation.

  • Notified law enforcement and relevant regulators.

  • Began offering 12 months of complimentary credit monitoring and identity restoration services through Cyberscout (a TransUnion company) to everyone who received a notice.

  • Stated it is reviewing internal policies and procedures to prevent similar incidents.

Affected customers received letters dated April 2, 2026, with enrollment instructions for the free monitoring services (via https://bfs.cyberscout.com/activate and a unique code) and a dedicated support line: 1-833-319-5614.

What This Means for Telehealth Users and the Industry

This breach highlights a growing vulnerability in the telehealth sector: third-party platforms. Many companies outsource customer support to SaaS tools like Zendesk for scalability, but those tools often become high-value targets when protected only by SSO credentials.

Social engineering attacks on Okta and similar identity providers have become a favorite tactic for groups like ShinyHunters. Once inside, attackers can quietly exfiltrate years of support tickets without triggering immediate alarms in the core medical systems.

For Hims & Hers customers:

  • If you received a letter, enroll in the credit monitoring ASAP (within 90 days).

  • Monitor your accounts, credit reports (free at annualcreditreport.com), and watch for phishing attempts that could reference your Hims & Hers support history.

  • Consider placing a fraud alert or credit freeze if you feel at risk.

For the broader industry, this is another reminder that “limited” breaches involving support data can still carry serious privacy implications—especially when the support conversations revolve around sensitive health topics.

The Bigger Picture

Hims & Hers is one of the most visible players in the $100+ billion telehealth market. The fact that attackers targeted the support layer rather than the medical backend shows how sophisticated threat actors have become: they’re after any data that can be monetized on dark web markets or used for follow-on phishing and identity theft.As of April 18, 2026, multiple law firms have already announced investigations into potential class-action claims. Whether those lead to lawsuits remains to be seen, but the incident underscores the need for stronger vendor security requirements and better employee training against social engineering.

Have you received a Hims & Hers breach notification? Drop your thoughts (anonymously if you prefer) in the comments. We’ll keep following this story as more details emerge—especially around the exact number of affected users and any updates from the company.

Stay safe out there, and remember: in the age of telehealth convenience, your support ticket history can be just as valuable to attackers as your medical file.

Sources: Official Hims & Hers breach notification (CA AG filing), TechCrunch, HIPAA Journal, Cybersecurity Dive, BleepingComputer, and other verified cybersecurity reports.
techcrunch.com
cybersecuritydive.com
rescana.com
oag.ca.gov
malwarebytes.com
hipaajournal.com

This post is published exclusively on Teckupwave. All rights reserved. If you’re in the tech, cybersecurity, or health-tech space, subscribe for more in-depth breach breakdowns and industry analysis.