Hims & Hers Data Breach Exposes Sensitive Customer Data via Third-Party Platform
Telehealth provider **Hims & Hers Health** (Hims) recently suffered a data breach stemming from a vulnerability in its third-party customer support platform. The incident exposed sensitive personal health information (PHI), potentially putting customers at risk of blackmail and other serious consequences.
## Breach Details
The breach, initially detected on February 5th, involved unauthorized access to customer support tickets between February 4th and 7th. **Hims** disclosed the incident to the Vermont Attorney General's Office, stating that the compromised tickets contained names and medical information of affected customers. Email addresses were also reportedly impacted.
The company took a month to determine the scope of the breach and another month to begin notifying affected customers. The specific third-party support platform involved has not been disclosed.
## ShinyHunters Claim
The infamous **ShinyHunters** group allegedly claimed responsibility for the attack, according to a BleepingComputer report. However, this claim remains unverified.
## Customer Trust Eroded
"This isn't just a data breach β itβs a breakdown in the customer relationship," says Baker Johnson, chief business officer at **UJET**. "When someone reaches out for support, especially in healthcare, thatβs a moment of trust. They reached out for help and instead had their trust compromised. That changes how they engage β and once that hesitation sets in, loyalty is already at risk."
## Risk of Blackmail
**Hims** specializes in addressing sensitive medical issues such as erectile dysfunction, balding, and mental health, often targeting a younger demographic. The exposure of this type of PHI raises the specter of blackmail, exceeding the typical risks associated with general PHI leaks.
While there is no evidence that **ShinyHunters** or any other group has leaked the stolen **Hims** data, the group has a history of doing so when victims refuse to pay extortion demands.
## Securing Customer Service Platforms
Johnson from **UJET** emphasizes the need for a more secure approach to managing customer service data: "The path forward is designing experiences where data doesn't sit scattered across systems in the first place, but where it moves securely, stays within trusted environments, and only exists as long as it's needed... Because in the end, security isn't a feature of the experience. It's what makes the experience trustworthy."