Telehealth Giant Him & Hers Announces Data Breach
The direct-to-consumer telehealth company Him & Hers has experienced a data breach. In early February, an unauthorized third party gained access to its third-party customer service platform and acquired support tickets that contained personal information.
Him % Hers, a provider of wellness products and health treatments to around 2.5 million subscribers, identified suspicious activity within its customer service platform on February 5, 2026. Him & Hers took steps to secure the platform and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to the platform from February 4, 2026, to February 7, 2026. During that time, certain tickets sent to the customer service team were subjected to unauthorized access or were acquired. Him & Hers said access was gained through “a sophisticated social engineering attack.”
Him & Hers reviewed the affected tickets and, on March 3, 2026, confirmed that they contained personal information such as names and contact information; however, customers’ medical records were not involved, and there was no unauthorized access to communications with healthcare providers on the platform. Law enforcement was notified about the incident, and individual notification letters are being mailed to the affected individuals. While the data compromised in the incident is limited, Him & Hers is offering complimentary single-bureau credit monitoring and identity theft protection services for 12 months.
Him & Hers has conducted a review of its policies and procedures related to privacy and security and is taking steps to prevent similar incidents in the future. While the incident has been reported to regulators, including the California Attorney General, Him & Hers has not publicly disclosed the number of individuals affected by the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The threat group behind the attack was not disclosed by Him & Hers; however, Bleeping Computer reports that the ShinyHunters threat group was behind the attack. The attack was part of a broader campaign targeting multiple companies. The threat group compromises Okta SSO accounts to gain access to data storage environments and steals data for extortion purposes. In this case, ShinyHunters used the Okta SSO account to access the Him & Hers Zendesk instance and stole millions of support tickets.
